Drug Charges Against Accused AT&T/iPad Hacker

June 17, 2010
18 Comments

A hacker in a group that discovered the AT&T iPad-related flaw was arrested on drug charges following the execution of an FBI search warrant of his home in Arkansas on Tuesday, according to published reports.

CNET’s Elinor Mills writes that the FBI found a broad selection of narcotics at the home of a man tied to “Goatse Security,” the group that recently claimed responsibility for extracting contact information on more than 114,000  iPad customers from AT&T’s Web site.

From the CNET story:

Andrew Auernheimer, 24, was being held in Washington County Detention Center in Fayetteville, Ark., according to Lt. Anthony Foster of the Washington County Sheriff’s office in that state. The drugs were found during the execution of the warrant, said Lt. Mike Perryman, of the Fayetteville Police Department. However, Perryman could not say what prompted the warrant.

Auernheimer, who goes by the name “Escher” and the hacker handle “Weev,” faces four felony charges of possession of a controlled substance and one misdemeanor possession charge, Foster said. The drugs included cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals, he said.

Spiegelmock and Auernheimer speaking at Toorcon 2006

Auernheimer is quite a colorful character. I met him in 2006 at the Toorcon security conference in San Diego, where he and Mischa Spiegelmock – an employee for blogging service LiveJournal – were delivering a talk on what they claimed was an unpatched security flaw in Mozilla’s Firefox browser that hackers were supposedly attacking to compromise Web surfers. At the time, Auernheimer introduced himself as Andrew “Weev” Wbeelsoi.

That presentation — which called on security researchers everywhere to stop publicizing and fixing software security vulnerabilities — was at times hilarious and bizarre. Weev started out by informing the audience that he was delivering his speech while tripping on acid. When I followed up with Weev after that talk to get more details on their claims, it was fairly plain that he wasn’t kidding about the acid trip. However, the two hackers would later admit to me that they didn’t really have the zero day exploits that they claimed, and that they were just trying to have a little fun with the security industry.

Police Arrest 178 in U.S.-Europe Raid on Credit Card ‘Cloning Labs’

June 15, 2010
12 Comments

Equipment seized from a 'cloning lab'. Photo courtesy Spanish Ministry of Interior.

Police have arrested 178 people in Europe and the United States suspected of cloning credit and debit cards in an international scam worth over 20 million euro ($24.52 million), according to a report from Reuters and authorities in Spain.

The stories so far are all light on details or whether this bust was connected to specific fraud forums that facilitate the trade in stolen credit card data, but the wire reports include the following information:

Police in fourteen countries participated a two-year investigation, initiated in Spain where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, arrested 76 people and dismantled six cloning labs.

The raids were made primarily in Romania, France, Italy, Germany, Ireland and the United States, with arrests also made in Australia, Sweden, Greece, Finland and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation and money-laundering, the police said.

Source here. There is also quite a bit more juicy information in the press release from Spanish Ministry of Interior, a Google translated version of which is available here. For all you Spanish speakers, the original version is here.

Criminals can clone debit cards if they have access to the cardholder’s PIN as well as the data stored on the magnetic strip on the back of these payment cards. In some cases, crooks obtain these “dumps” by stealing the data (either in person or via hacking) online or main street merchants.

Another popular method of obtaining dumps and PINs is through the use of ATM skimmers, which I have written about extensively. According to Spanish police, as part of the raids Germany has arrested 16 people involved in skimming bank cards (look for another KrebsOnSecurity post on ATM skimmers sometime in the next week or so).

In related news, MasterCard announced it is trialing a new debit card that includes not only a computer chip but also a tiny digital display that produces a one-time password for each online transaction. But don’t expect to see these replacing regular, low tech credit and debit cards here in the U.S., at least not for a while. Slashgear.com reports that the devices are being trialed with Turkish bank for now.

Read more about the specs of this device, at this data sheet (PDF)  from the manufacturer’s Web site.

Advertisement

Unpatched Windows XP Flaw Being Exploited

June 15, 2010
31 Comments

A security vulnerability in Microsoft Windows XP systems that was first disclosed a week ago is now being actively exploited by malicious Web sites to foist malware on vulnerable PCs, according to reports.

Last week, Google researcher Tavis Ormandy disclosed the details of a flaw in the Microsoft Help & Support Center on Windows XP and Server 2003 systems that he showed could be used to remotely compromise affected systems. Today, experts at security firm Sophos reported that they’re seeing the first malicious and/or hacked sites beginning to exploit the bug.

If you use Windows XP and have not yet taken Microsoft up on its suggestion to disable the vulnerable Help & Support Center component, please consider taking a moment to do that today. Until Microsoft issues an official fix for this flaw, the workaround they suggest is an easy and apparently painless one. The instructions are available at this link.

Update, June 17, 9:20 a.m. PST: Updated post to include link to Microsoft “FixIt” tool.

Cloud Keyloggers?

June 14, 2010
6 Comments

Keystroke-logging computer viruses let crooks steal your passwords, and sometimes even read your e-mails and online chats. Recently, however, anonymous criminals have added insult to injury, releasing a keylogger strain that publishes stolen information for all the world to see at online notepad sharing sites such as pastebin.com.

Last week, security experts at BitDefender discovered a continuing stream of new entries at pastebin.com and pastebin.ca that included text files laid out in the format typically used by keystroke-logging malware. For example, each keypress in the log posted to pastebin.com is preceded by a listing of the program currently in focus on the victim’s screen, and each function key pressed is spelled out, so that when the victim hits the backspace or down arrow key, for instance, the keystroke log will show a “[back]” or “[down]” entry in place of each corresponding keypress (see the screenshot to the right).

Typically, keystroke logging malware will submit stolen data to a Web server specified in the malware that the attacker controls. BitDefender theorizes that those responsible for creating this keylogger variant may have chosen pastebin.com because it is unlikely to be blocked by Web filters or malware blacklists.

I kept the pastebin.com home page open most of the weekend and refreshed it periodically, and confirmed that a relatively large number of keylogger records were being uploaded in real time to the free service. To the right is one of many screenshots I took of the files I found on Pastebin.com.

Pastebin owner Jeroen said Pastebin is aware of the problem and is working on a new version of the site that should block these automated keyloggers from posting their content there.

Continue reading

Security Alert for Windows XP Users

June 14, 2010
16 Comments

Microsoft is warning Windows XP and Server 2003 users that exploit code has been posted online showing attackers how to break into these operating systems remotely via a newly-discovered security flaw.

The vulnerability has to do with a weakness in how Windows Help and Support Center processes links. Both Windows XP and Server 2003 retrieve help and support information from a fixed set of Web pages that are included on a whitelist maintained by Windows. But Google security researcher Tavis Ormandy last week showed the world that it was possible to add URLs to that whitelist.

Microsoft said an attacker could exploit this flaw by tricking a user into clicking a specially crafted link. Any files fetched by that link would be granted the same privileges as the affected system’s current user, which could spell big problems for XP users browsing the Web in the operating system’s default configuration — using the all-powerful “administrator” account.

“Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” Microsoft said in a statement released last week.

Continue reading

Don’t Need Java? Junk It.

June 11, 2010
67 Comments

I am often asked to recommend security software,  but it’s important to remember that staying secure is just as much about removing little-used software that increases your exposure to online threats. At the very top of my nix-it-now list is Java, a powerful application that most users have on their systems but that probably few actually need.

Not only do most users have some version of Java on their systems, most Windows users likely have multiple copies of this program on their PCs, because older installers failed to remove previous, insecure versions of the software.

Worse still, Java is now among the most frequently-attacked programs, and appears to be fast replacing Adobe as the target of choice for automated exploit tools used by criminals.

Readers of the blog are no doubt familiar with my previous stories on the Eleonore Exploit Pack, a commercial software package sold by and to criminals that is used to booby trap Web sites with exploits for the most common Web browser vulnerabilities. Check out past posts on Eleonore, and it’s clear Java flaws are a key target of this increasingly common exploit pack.

Below are a few screen shots taken from the administration page of yet another working Eleonore Exploit Pack: The first image shows the exploits used by this pack, along with the number of times each exploit  (“sploit”) was successful in delivering malicious software payloads (or “loads”) to the visitor. As we can see, the “java2e” and “javae0” are by far the most successful of the exploits.

Continue reading

Adobe Flash Update Plugs 32 Security Holes

June 10, 2010
33 Comments

As promised, Adobe has released a new version of its Flash Player software to fix a critical security flaw that hackers have been exploiting to break into vulnerable systems. The update also corrects at least 31 other security vulnerabilities in the widely used media player software.

The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version 10.0.45.2 and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use.

Please take a moment to check if you have Flash installed and — if so — to update it: A working copy of the code used to exploit this vulnerability has been included in Metasploit, an open source penetration testing framework. Also note that Adobe likes to bundle all kinds of third party software — from security scanners to various browser toolbars — with its software, so if you don’t want these extras you will need to uncheck the box next to the added software before you click the download button.

The vulnerability that prompted Adobe to issue this interim update (the company had been slated to issue these and other security updates on July 13) also is present in Adobe Reader and Acrobat, although Adobe says it does not plan to fix the flaw in either of these products until June 29.

Now would be a great time for longtime users of Adobe’s free Reader software to consider removing Reader and switching to an alternative free reader, such as Foxit or Sumatra.

Note that Flash generally comes with Adobe Download manager, a package that in prior versions has been found to harbor its own security vulnerabilities. The download manager is designed to uninstall itself from machines after a reboot, so to be on the safe side, you may want to reboot your system after updating Flash.

http://www.adobe.com/support/security/bulletins/apsb10-08.html

ZeuS Trojan Attack Spoofs IRS, Twitter, Youtube

June 9, 2010
41 Comments

Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos.

According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack appears to be an extension of a broad malware spam campaign that began at the end of May.

The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement.

All of the latest e-mails use a variety of URL shortening services. For example, this shortened link (currently live and dangerous, and therefore neutered here)…

Continue reading

Microsoft, Apple Ship Big Security Updates

June 8, 2010
28 Comments

In its largest patch push so far this year, Microsoft today released 10 security updates to fix at least 34 security vulnerabilities in its Windows operating system and software designed to run on top of it. Separately, Apple has shipped another version of Safari for both Mac and Windows PCs that plugs some four dozen security holes in the Web browser.

Microsoft assigned three of the updates covering seven vulnerabilities a “critical” rating, meaning they can be exploited to help attackers break into vulnerable systems with no help from users. At least 14 of the flaws fixed in this month’s patch batch are in Microsoft Excel, and another eight relate to Windows and Internet Explorer.

According to Microsoft, the most serious of the bugs involves a weakness in the way Windows handles certain media formats, and is present in all supported versions of Windows. Another critical update nixes six different insecure ActiveX controls (plug-ins for Internet Explorer), while the third critical update corrects at least a half dozen vulnerabilities in IE.

Microsoft notes that Office XP users may not be able to install one of the needed updates; Rather, Redmond is releasing what it calls a “shim,” or essentially and point-and-click “FixIt” tool that apparently does the job. If you use Office XP, go ahead and click the “FixIt” icon at this link when you’re done installing the rest of the updates.

The Microsoft patches are available through Windows Update or via Automatic Update. As usual, please drop a note in the comments below if you experience any problems as a result of installing these updates.

Apple’s Safari 5.0 update fixes at least four-dozen security vulnerabilities in Safari on Mac OS X and Windows versions. Updates are available for Mac OS X v 10.4.11, Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, and XP. Mac users can grab the update from Software Update or Apple Downloads; Safari users on Windows will need to update using the bundled Apple Software Update utility.

Adobe Warns of Critical Flaw in Flash, Acrobat & Reader

June 5, 2010
35 Comments

Adobe Systems Inc. warned late Friday that malicious hackers are exploiting a previously unknown security hole present in current versions of its Adobe Reader, Acrobat and Flash Player software.

“There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat,” the company said in a brief blog post published Friday evening. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.”

Adobe said the vulnerability exists in Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and a component (authplay.dll) of Adobe Reader and Acrobat versions 9.x for Windows, Mac and UNIX operating systems.

The company notes that the Flash Player 10.1 Release Candidate, available from this link, does not appear to be vulnerable. Adobe also said Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Further, Adobe Reader and Acrobat users can mitigate the threat from this flaw by deleting, renaming or removing access to the “authplay.dll” file that ships with Reader and Acrobat (although users may still experience a non-exploitable crash or error message when opening a PDF that contains Flash content).

The vulnerable component should be located at these spots for Windows users:

Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll

Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll

Adobe says it is working on an official patch for the problem. Stay tuned for more details.

Update, June 7, 11:25 a.m. ET: Symantec is reporting that one strain of malware exploiting this vulnerability is something it calls Trojan.Pidief.J, which is a PDF file that drops a backdoor onto the compromised computer if an affected product is installed. Clearly, this is a follow-the-bouncing-malware type of exploit: “Upon analysis of an attack, it is also observed that a malicious [Shockwave Flash] file (detected as Trojan Horse) is used in conjunction with an HTML file (detected as Downloader) to download another malware (detected as Backdoor.Trojan) from the web,” the company said. Symantec notes that while the current attacks against this flaw are targeted and limited, that will likely soon change as more criminal groups start taking advantage of the vulnerability.

Update, June 8, 12:40 p.m. ET: Adobe said today that it plans to issue a patch for the Flash vulnerability (on 10.x versions of Flash) on Thursday, June 10, for Windows, Linux and Mac. But the software maker said it doesn’t expect to ship an update for Windows, Linux and Mac versions of Adobe Reader and Acrobat until June 29. Adobe also posted steps that Mac and Linux users can take to mitigate any threat from these vulnerabilities, in an updated advisory.