Security Updates for Microsoft Windows, Java

December 13, 2011

Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.

The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems. Continue reading

Bugs Money

December 13, 2011

Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws.

Facebook's Bug Bounty debit card for security researchers who report security flaws in its site and applications.

I first read about this card on the Polish IT security portal Niebezpiecznik.pl, which recently published an image of a bug bounty card given to Szymon Gruszecki, a Polish security researcher and penetration tester. A sucker for most things credit/debit card related, I wanted to hear more from researchers who’d received the cards.

Like many participants in Facebook’s program, Gruszecki also is hunting bugs for other companies that offer researchers money in exchange for privately reporting vulnerabilities, including Google, Mozilla, CCBill and Piwik. That’s not to say he only finds bugs for money.

“I regularly report Web app vulnerabilities to various companies [that don’t offer bounties], including Microsoft, Apple, etc.,” Gruszecki wrote in an email exchange.

The bug bounty programs are a clever way for Internet-based companies to simultaneously generate goodwill within the security community and to convince researchers to report bugs privately. Researchers are rewarded if their bugs can be confirmed, and if they give the affected companies time to fix the flaws before going public with the information.

As an added bonus, some researchers — like Gruszecki — choose not to disclose the bugs at all.

Continue reading

Advertisement

Who Knows What Youhavedownloaded.com?

December 12, 2011

You may have never heard of youhavedownloaded.com, but if you recently grabbed movies, music or software from online file-trading networks, chances are decent that the site has heard of you. In fact, you may find that the titles you downloaded are now listed and publicly searchable at the site, indexed by your Internet address.

In many ways, the technology behind the site merely recreates in a publicly searchable way what the entertainment industry has been doing for years: It tracks and records information that users share when they download and upload files on public peer-to-peer file-trading networks. But the free service does have the potential to make people think twice about downloading pirated movies, games and music, because it shows how easily this information can be discovered and archived.

So far, youhavedownloaded.com has recorded more than 50 million unique Internet addresses belonging to file-sharing users. The site is searchable by file name and by Internet address. When you visit, it automatically checks and lets you know if your Internet address is in the database.

Youhavedownloaded.com offers only limited information about its founders. One of them is Suren Ter-Saakov, a Russian native who now lives in a suburb of Philadelphia. I first interviewed Ter-Saakov for a story I wrote in 2009 about the Federal Trade Commission’s unprecedented takedown of troubled Web hosting firm Triple Fiber Network (3FN). The FTC alleged it was hard to find any customers at 3FN that had legitimate, legal content. Ter-Saakov, better known in the Russian Webmaster industry as Mauser, disagreed and successfully sued the FTC to retrieve his domains and servers.

Ter-Saakov said he believes youhavedownloaded.com indexes about 20 percent of the file-sharing activity on the Internet. He maintains that the site was created merely as a proof-of-concept, and that it doesn’t have any commercial application.

“The whole thing started with a theoretical discussion I had with some friends about what is possible to track through software and what is not possible,” Ter-Saakov said in a phone interview. Continue reading

Twitter Bots Drown Out Anti-Kremlin Tweets

December 8, 2011

Thousands of Twitter accounts apparently created in advance to blast automated messages are being used to drown out Tweets sent by bloggers and activists this week who are protesting the disputed parliamentary elections in Russia, security experts said.

Image: Twitterbot.info

Amid widespread reports of ballot stuffing and voting irregularities in the election, thousands of Russians have turned out in the streets to protest. Russian police arrested hundreds of protesters who had gathered in Moscow’s Triumfalnaya Square, including notable anti-corruption blogger Alexei Navalny. In response, protesters began tweeting their disgust in a Twitter hashtag #триумфальная (Triumfalnaya), which quickly became one of the most-tweeted hashtags on Twitter.

But according to several experts, it wasn’t long before messages sent to that hashtag were drowned out by pro-Kremlin tweets that appear to have been sent by countless Twitter bots. Maxim Goncharov, a senior threat researcher at Trend Micro, observed that “if you currently check this hash tag on twitter you’ll see a flood of 5-7 identical tweets from accounts that have been inactive for months and that only had 10-20 tweets before this day. To this point those hacked accounts have already posted 10-20 more tweets in just one hour.”

“Whether the attack was supported officially or not is not relevant, but we can now see how social media has become the battlefield of a new war for freedom of speech,” Goncharov wrote.

I’ve been working with a few security researchers inside of Russia who asked not to be named for fear of retribution by patriotic Russian hackers or the government. Since Trend’s posting, they’ve identified thousands of additional accounts (e.g., @ALanskoy, @APoluyan, @AUstickiy, @AbbotRama, @AbrahamCaldwell…a much longer list is available here) that are rapidly posting anti-protester or pro-Kremlin sentiments to more than a dozen hashtags and keywords that protesters are using to share news, including #Navalny. Continue reading

Pro Grade (3D Printer-Made?) ATM Skimmer

December 7, 2011

In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.

Below is a front view image of the device. It is an all-in-one skimmer designed to fit over the card acceptance slot and to record the data from the magnetic stripe of any card dipped into the reader. The fraud device is shown sideways in this picture; attached to an actual ATM, it would appear rotated 90 degrees to the right, so that the word “CHASE” is pointing down.

On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery. The spy camera turns on when a card is dipped into the skimmer’s card acceptance slot, and is angled to record customer PINs.

The bottom of the skimmer device is designed to overlay the controls on the cash machine for vision impaired ATM users. On the underside of that space is a data port to allow manual downloading of information from the skimmer.

Looking at the backside of the device shows shows the true geek factor of this ATM skimmer. The fraudster who built it appears to have cannibalized parts from a video camera or perhaps a smartphone (possibly to enable the transmission of  PIN entry video and stolen card data to the fraudster wirelessly via SMS or Bluetooth). It’s too bad so much of the skimmer is obscured by yellow plastic. I’d welcome any feedback from readers who can easily identify these parts based on the limited information here. Continue reading

Attackers Hit New Adobe Reader, Acrobat Flaw

December 6, 2011

Malicious hackers are targeting a previously unknown security hole in Adobe Reader and Acrobat to compromise Microsoft Windows machines, Adobe warned today.

Adobe says attackers are taking advantage of a newly discovered critical flaw that exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines. A security bulletin warns of reports that the vulnerability is being actively exploited in “limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.” Continue reading

Download.com Bundling Toolbars, Trojans?

December 6, 2011

It wasn’t long ago that I felt comfortable recommending CNET‘s download.com as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.

CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted download.com’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.

The CNET download installer that I got for Nmap from download.com was made by CBS Interactive (CNET Networks was acquired by CBS in 2008), and it is detected as malicious by three antivirus products at Virustotal.com. When I unpacked the installer from the Nmap program and scanned just the installer, 10 out of the 39 antivirus products detected the file as either a Trojan horse or adware.

Continue reading

Chats With Accused ‘Mega-D’ Botnet Owner?

December 5, 2011

Recently leaked online chat records may provide the closest look yet at a Russian man awaiting trial in Wisconsin on charges of running a cybercrime machine once responsible for sending between 30 to 40 percent of the world’s junk email.

Oleg Nikolaenko

Oleg Y. Nikolaenko, a 24-year-old who’s been dubbed “The King of Spam,” was arrested by authorities in November 2010 as he visited a car show in Las Vegas. The U.S. Justice Department alleges that Nikolaenko, using the online nickname “Docent” earned hundreds of thousands of dollars using his “Mega-D” botnet, which authorities say infected more than half a million PCs and could send over 10 billion spam messages a day. Nikoalenko has pleaded not guilty to the charges, and is slated to appear in court this week for a status conference (PDF) on his case.

The Justice Department alleges that Nikolaenko spammed on behalf of Lance Atkinson and other members of Affking, an affiliate program that marketed fly-by-night online pharmacies and knockoff designer goods. Atkinson told prosecutors that one of his two largest Russian spamming affiliates used the online moniker Docent. He also said that Docent received payment via an ePassporte account under the name “Genbucks_dcent.” FBI agents later learned that the account was registered in Nikolaenko’s name and address in Russia, and that the email address attached to the account was 4docent@gmail.com.

According to my research, Docent also spammed for other rogue pharmacy programs. In fact, it’s hard to find one that didn’t pay him to send spam. In my Pharma Wars series, I’ve detailed how Russian cybercrime investigators probing the operations of the massive GlavMed/SpamIt rogue pharmacy operation seized thousands of chat logs from one of its principal organizers. The chats were later leaked online and to select journalists. Within those records are hundreds of hours of chats between the owners of the pharmacy program and many of the world’s biggest spammers, including dozens with one of its top earners — Docent.

According to the SpamIt records, Docent earned commissions totaling more than $325,000 promoting SpamIt pharmacy sites through spam between 2007 and 2010. The Docent in the SpamIt database also had his earnings sent to the same ePassporte account identified by the FBI. The Docent in the leaked chats never references himself as Nikolaenko, but in several cases he asks SpamIt coordinators to send documents to him at the 4docent@gmail.com address.

The chats between Docent and Stupin show a young man who is ultra-confident in the value and sheer spam-blasting power of his botnet. Below are the first in a series of conversation snippets between Docent and SpamIt co-administrator Dmitry Stupin. Before each is a brief note providing some context.

In the transcript that follows, Stupin tries to woo Docent to join SpamIt. Docent negotiates a much higher commission rate than is usually given to new spamming partners. The typical rate is 30 percent of each sale, but Docent is a known figure in the spamming underground, and argues that his botnet will bring such massive traffic to the SpamIt pharmacies that he deserves a higher 45 or 50 percent cut of the sales. This conversation was recorded on Feb. 1, 2007.

Stupin:  Hello! You have communicated with ICQ 397061228, I am writing regarding your case, Docent.

Docent: Which case?

Stupin:  Do you want to send spam regarding our partnerka [“partnerka” is Russian slang for a mix of private and semi-public affiliate groups that form to facilitate cybercrime activities].

Docent: Which exactly do you mean? I have not yet communicated with this 397061228.

Stupin: Here is the letter which recently came from  you: “It is usual spam,  GI bases, not opt-in. Big volume of emails. I mail a lot of [competing pharmacy] programs, Bulker, Mailien, SRX. I’m a member of most bulk forums. So if you need references, i can provide them. Usual traffic is 2k+ uniques. Also i need bulk-host.”

Docent: Yes, I got it. It’s just nobody IM’d me.

Stupin: ок) What kind of volumes of spam can you deliver? We are soon deploying our own “partnerka” for spam, we just do not have it right now.

Docent: Volumes are huge, 500 million + / day.

Stupin: Wow! Are you not accidentally on [Spamhaus] ROKSO List ?

Docent: Yes, it’s a list of idiots :), with the exception of a couple of people.

Stupin:  We do contract people for our spam campaigns, but only verified people. We are not publicly opened yet.

Continue reading

Loopholes in Verified by Visa & SecureCode

December 2, 2011

Trend Micro’s Rik Ferguson posted a good piece on Thursday about a major shortcoming in credit card security programs maintained by MasterCard and Visa. Although the loophole that Ferguson highlighted may be unsettling to some, fraudsters who specialize in stealing and using stolen credit cards online have been exploiting it for years.

At issue is a security protocol called “3 Domain Secure,” (3DS), a program designed to reduce card fraud and shift liability for fraud from online merchants to the card issuing banks. Visa introduced the program in 2001, branding it “Verified by Visa,” and MasterCard has a similar program in place called “SecureCode.”

Cardholders who chose to participate in the programs can register their card by entering the card number, filling in their ZIP code and birth date, and picking a passcode. When a cardholder makes a purchase at a site that uses 3DS, he enters the code, which is verified by the issuing bank and is never shared with the merchant site.

But as Ferguson notes, people are human and tend to forget things, especially passcodes and passwords, and it is the password reset function that eliminates any security provided by Verified by Visa or SecureCode. From his blog:

What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.”

The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitimate account holder, let’s have a look at that “Identification” phase.”

“Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.”

“Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.”

This would all be very shocking if it wasn’t already painfully obvious to today’s cyber crooks. When I read the Trend blog post, I began searching for several screen shots I had taken of a discussion on an underground carding forum more than two years ago, which explained very clearly how to get around this added level of card security. The tutorial in the screen shot below was posted by an administrator from the carding forum carder.pro on Halloween, 2009:

Continue reading

Public Java Exploit Amps Up Threat Level

November 30, 2011

An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.

On Monday, I disclosed how the Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog today, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.

Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X and even Linux systems.

This development should not be taken lightly by any computer user. According to Sun’s maker Oracle, more than three billion devices run Java. What’s more, Java vulnerabilities are by some accounts the most popular exploit paths for computer crooks these days. On Monday, Microsoft’s Tim Rains published a blog post noting that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK).

Continue reading