Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.
This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.
Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.
In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.
Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
The recent targeted cyber attacks against Google, Adobe and other major companies were fueled in part by a previously unknown — and currently unpatched — security flaw in Microsoft‘s Internet Explorer Web browser, anti-virus vendor McAfee said today.
McAfee said its investigation revealed that one of the malicous software samples used in the attacks exploited a new, not publicly known vulnerability in IE that is present in all of Microsoft’s most recent operating system releases, including Windows 7.
Google has reportedly stopped censoring Chinese search results for its Google.cn property, in response to what it said earlier this week were targeted attacks against its corporate infrastructure aimed at Chinese dissident groups. But a security research firm claims the attack that hit Google was part of a larger, unusually sophisticated assault aimed at stealing source code from Google and at least 30 other Silicon Valley firms, banks and defense contractors.
Also, Google switches to “always on” encryption for all Gmail users. And some pundits see ulterior motives in Google’s Chinese hacking disclosure. More after the jump.
The earthquakes that have wrought so much devastation and death in Haiti this week are moving many to donate to various relief efforts. But security experts and the FBI are warning people to be on the lookout for ghoulish criminals scams that invariably spring up in the wake of such natural disasters in a bid to siphon funds from charitable organizations.
I have written a great deal about how organized cyber gangs in Eastern Europe drained tens of millions of dollars from the bank accounts of small- to mid-sized businesses last year. But new evidence indicates one of the gangs chiefly responsible for these attacks managed to hack directly into a U.S. bank last year and siphon off tens of thousands of dollars.
On July 30, 2009, at least five individuals across the United States each received an electronic transfer of funds for roughly $9,000, along with instructions to pull the cash out of their account and wire the funds in chunks of less than $3,000 via Western Union and Moneygram to three different individuals in Ukraine and Moldova.
The recipients had all been hired through work-at-home job offers via popular job search Web sites, and were told they would be acting as agents for an international finance company. The recruits were told that their job was to help their employers expedite money transfers for international customers that were — for some overly complicated reason or another — not otherwise able to move payments overseas in a timely enough manner.
The money was sent to these five U.S. recruits by an organized ring of computer thieves in Eastern Europe that specializes in hacking into business bank accounts. The attackers likely infiltrated the bank the same way they broke into the accounts of dozens of small businesses last year: By spamming out e-mails that spoofed a variety of trusted entities, from the IRS, to the Social Security Administration and UPS, urging recipients to download an attached password-stealing virus disguised as a tax form, benefits claim or a shipping label, for example. Recipients who opened the poisoned attachments infected their PCs, and the thieves struck gold whenever they managed to infect a PC belonging to someone with access to the company’s bank accounts online.
Microsoft and Adobe Systems each issued security updates on Tuesday. Redmond released a single patch to plug a flaw that’s not terribly scary, unless you happen to be running Windows 2000. Adobe’s patch bundle, however, covers at least eight critical security flaws, including one that hackers have been exploiting in targeted attacks of late.
In a huge disclosure today, Google said a sophisticated and targeted cyber attack against its corporate infrastructure late last year was aimed at accessing the Gmail accounts of Chinese human rights activists. As a result of the incident, the company says it will no longer censor search results on behalf of the Chinese government, and that it may in fact cease operations in the country altogether.
In a posting to its Official Google Blog, the company said that in mid-December a “highly sophisticated and targeted attack” against its internal systems “resulted in the theft of intellectual property from Google.” The search engine giant said that the attack also struck at least 20 other large companies from a wide range of businesses, and that it is currently in the process of notifying those companies.
Google said it has evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.
“Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,” the company said. “We have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.”
As a result of the attacks, Google says it is no longer willing to continue censoring Google.cn search results. From the Google announcement:
“We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that ‘we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China.’
A periodic pointer to some of the more interesting and newsworthy security news stories. In no particular order:
Proof-of-concept for Mac OS X systems Released
Possible Malicious Apps for Google’s Android Phone
Online Gaming Exec. Sentenced to 33 Months
‘Massive Cybercrime Conspiracy’
Read after the jump for summaries and links to more information.
January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products.