Feds: TSA Worker Tried to Sabotage Terror Database: Via Threat Level.

A former Transportation Security Administration contractor is being charged in Colorado for allegedly injecting malicious code into a government network used for screening airport security workers and others.

The malicious code, a logic bomb installed last October, was designed to cause damage and disrupt data on servers on an undisclosed date but was caught by other workers before it delivered its payload.

Douglas James Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center, or CSOC, since 2004. The CSOC is used to vet people who have “access to sensitive information and secure areas of the nation’s transportation network,” according to the indictment. A source involved in the case said this involved screening of both passengers and workers at airports and other transportation facilities.

He pleaded not guilty in a Denver federal court on Wednesday and was released on a $25,000 unsecured bond. The indictment did not say whether the malware was crafted to erase or alter data, or simply disable servers.

The CSOC network stores updated information from the government’s terrorist watchlist as well as criminal histories from the U.S. Marshal’s Service Warrant Information Network. [ Read more ... ]

Hackers exploit latest IE zero-day with drive-by attacks: Via Computerworld Cybercrime/Hacking News.

Hackers are exploiting the just-disclosed unpatched bug in Internet Explorer (IE) to launch drive-by attacks from malicious Web sites, security researchers said today.

"This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out," said Craig Schmugar, a threat researcher at McAfee, in a blog post today.

Attacks are launched from Web sites in a classic drive-by fashion, said Schmugar and others. "Visiting the page is enough to get infected," Schmugar said.

Symantec also confirmed that it has spotted in-the-wild attacks exploiting the critical vulnerability in IE6 and IE7 that Microsoft acknowledged yesterday. "We're still seeing just limited attacks," said Ben Greenbaum, a senior research manager on Symantec's security response team. "The exploit is carried out simply by visiting a Web page hosting the vulnerability. When the browser opens the page, the exploit causes the user's computer to download and execute another piece of malware." [ Read more ... ]

Serious Apache Exploit Discovered: Via Slashdot.

bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.

Read Original Article:(Via Slashdot.)

Spain Busts Hackers for Infecting 13 Million PCs: Via Threat Level.

BOSTON (Reuters) — Spanish police have shut down a ring of computer hackers who infected more than 13 million PCs with a virus that stole credit card numbers and other valuable data in what may be the biggest cyber-raid to date.

Spain’s Civil Guard said on Tuesday that it arrested three men suspected of running the so-called Mariposa botnet, named after the Spanish word for butterfly. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in more than half of the world’s 1,000 largest companies and in at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring, Canada’s Defense Intelligence and Spain’s Panda Security. [ Read more ... ]

Brief Facebook glitch sent private messages to wrong users: Via Law & Disorder Section - Ars Technica.

Last night, a number of Facebook users began getting hundreds of private messages and friend requests intended for other users, according to a Wall Street Journal report. While the problem was only temporary, it adds to the growing concern that Facebook doesn't do enough to ensure the privacy of its users' data. [ Read more ... ]

Augmented Identity App Helps You Identify and Friend Perfect Strangers, Face to Face : Via Popular Science.

By this point, we're all familiar with augmented reality, but Swedish mobile software firm The Astonishing Tribe is taking information overload to the next logical step: augmented identity. Mashing up face recognition technology, computer vision, cloud computing, and augmented reality with the complex digital lives many of us lead on the Internet, TAT has created an app that allows you to gather information on a person and their social networking life simply by pointing your camera phone at their face.

Dubbed Recognizr, the app essentially works like this: the user points the camera at a person across the room. Face recognition software creates a 3-D model of the person's mug and sends it across a server where it's matched with an identity in the database. A cloud server conducts the facial recognition since and sends back the subject's name as well as links to any social networking sites the person has provided access to. [ Read more ... ]

iPhone Privacy, Security Not What Apple Claims, Researcher Says: Via PCWorld.

Apple's claims about iPhone privacy and security are exaggerated, according to software engineer and security expert Nicolas Seriot, who gave a presentation yesterday about the iPhone at the Black Hat Conference in DC.

Apple's sandboxing technology restricts iPhone applications to operating system resources with a list of deny/allow rules at the kernel level, but these and other permissions are "way too loose," and "Apple should not claim that an application cannot access data from another application," said Seriot, who works as an iPhone programming trainer at a company called Sen:te. [ Read more ... ]

Google Buzzkill: Via Freedom to Tinker.

The launch of Google Buzz, the new social networking service tied to GMail, was a fiasco to say the least. Its default settings exposed people's e-mail contacts in frightening ways with serious privacy and human rights implications. Evgeny Morozov, who specializes in analyzing how authoritarian regimes use the Internet, put it bluntly last Friday in a blog post: "If I were working for the Iranian or the Chinese government, I would immediately dispatch my Internet geek squads to check on Google Buzz accounts for political activists and see if they have any connections that were previously unknown to the government."

According to the BBC, the Buzz development team bypassed Google's standard trial and testing procedures in order to launch the product quickly. [ Read more ... ]

Over 75,000 systems compromised in cyberattack: Via Computerworld Cybercrime/Hacking News.

Correction: An earlier version of this story incorrectly said the cyberattacks began in 1998. They began in 2008.

Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.
The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.

A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

"Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year," NetWitness said in a statement announcing the discovery of the botnet late yesterday. [ Read more ... ]

Rogue antivirus program comes with tech support: Via Computerworld Security News.

In an effort to boost sales, sellers of a fake antivirus product known as Live PC Care are offering their victims live technical support.

According to researchers at Symantec, once users have installed the program, they see a screen, falsely informing them that their PC is infected with several types of malware. That's typical of this type of program. What's unusual, however, is the fact that the free trial version of Live PC Care includes a big yellow "online support" button.

Clicking on the button connects the victim with an agent, who will answer questions about the product via instant message.

Symantec says the agent is no automated script, but in fact a live person. [ Read more ... ]

Microsoft's new 'phone home' anti-piracy practice unacceptable, says critic: Via Computerworld Privacy News.

'At what point is one free of this' perpetual checking, asks Lauren Weinstein

The Internet advocate who blasted Microsoft in 2006 over the daily "phone home" habits of its anti-piracy software took the company to task again today for a new practice that will examine consumers' Windows 7 PCs every 90 days to make sure they're running legitimate copies of the OS.

Lauren Weinstein, the co-founder of People For Internet Responsibility (PFIR), urged Windows 7 users not to accept the option update to Windows Activation Technologies (WAT) when Microsoft begins seeding it to the Windows Update service later this month.

"The approach that Microsoft is now taking doesn't seem to make sense, even for honest consumers," Weinstein argued in a post to his blog. "Microsoft will trigger forced downgrading to non-genuine status if they believe a Windows 7 system is potentially pirated based on their 'phone home' checks that will occur at (for now) 90 day intervals during the entire life of Windows 7 on a given PC, even months or years after purchase. [ Read more ... ]

New Russian botnet tries to kill rival: Via Computerworld Cybercrime/Hacking News.

An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords.

Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. [ Read more ... ]

Cisco's wiretapping system open to exploit, says researcher: Via Law & Disorder Section - Ars Technica.

To meet the needs of law enforcement, most telecommunications equipment includes hardware and software that allow for the monitoring of traffic originating with the targets of investigations. The precise capabilities are often dictated by formalized standards, which allow any hardware maker to implement a compliant system. Unfortunately, these standards often leave the hardware wide open to various attacks that leave regular users vulnerable, and provide savvy surveillance targets the opportunity to evade the snooping. An IBM researcher has put Cisco's system under the microscope at a Black Hat Conference, and found it comes up short. [ Read more ... ]

Software Firms Fear Hackers Who Leave No Trace: Via NYTimes.com .

MOUNTAIN VIEW, Calif. — The crown jewels of Google, Cisco Systems or any other technology company are the millions of lines of programming instructions, known as source code, that make its products run.

If hackers could steal those key instructions and copy them, they could easily dull the company’s competitive edge in the marketplace. More insidiously, if attackers were able to make subtle, undetected changes to that code, they could essentially give themselves secret access to everything the company and its customers did with the software.

The fear of someone building such a back door, known as a Trojan horse, and using it to conduct continual spying is why companies and security experts were so alarmed by Google’s disclosure last week that hackers based in China had stolen some of its intellectual property and had conducted similar assaults on more than two dozen other companies. [ Read more ... ]

Pentagon Searches for ‘Digital DNA’ to Identify Hackers: Via Danger Room.

One of the trickiest problems in cyber security is trying to figure who’s really behind an attack. Darpa, the Pentagon agency that created the Internet, is trying to fix that, with a new effort to develop the “cyber equivalent of fingerprints or DNA” that can identify even the best-cloaked hackers.

The recent malware hit on Google and other U.S. tech firms showed once again just how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard to say conclusively that the People’s Liberation Army launched the strike.

It’s the kind of problem Darpa will try to solve with its “Cyber Genome” project. [ Read more ... ]

Privacy Network Tor Suffers Breach: Via InformationWeek.com .

The virtual network, Tor, designed to provide private and secure Web browsing to people around the world had a number of servers hacked recently. The Tor anonymous network is helpful to those living in nations that oppress free speech, such as China and Iran, and need unfettered access to information.

The virtual network, Tor, designed to provide private and secure Web browsing to people around the world had a number of servers hacked recently. The Tor anonymous network is helpful to those living in nations that oppress free speech, such as China and Iran, and need unfettered access to information.

According to this post in the (Simple End-User Linux) SEUL.org discussion list, three of Tor's severs were compromised earlier this month, two were part of the network's directory structure:

In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.

The breach appears to have been for CPU capacity, according to the post. And the infiltrators were using the server to launch other attacks. [ Read more ... ]

Microsoft Learned of IE Zero-Day Flaw Last September: Via Threat Level.

Microsoft was aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies but did not patch the hole completely until Thursday.

The software giant had intended to release a patch for the flaw in February — more than four months after learning about it, but had to speed up that plan and role it out this week in the wake of news that Google and others had been hacked through the flaw, the world’s largest software maker acknowledged Thursday.

Meron Sellen, a security researcher at BugSec, an Israeli firm, quietly reported the vulnerability to Microsoft in September, according to security firm Kaspersky.

Microsoft confirmed it learned of the so-called “zero-day” flaw months ago.

According to Microsoft, “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. [ Read more ... ]

Data mining project benefits investigators, scares privacy experts: Via St. Petersburg Times.

Called a "mad scientist'' by one employee, Asher has made a fortune collecting public records — deeds, lawsuits, voter registrations — and combining them into databases that can be invaluable in locating people. Plug a name into Accurint, Asher's best-known product, and you'll see addresses, possible relatives, licenses held.

It was Asher's technology that helped police find the Washington, D.C., snipers.

Now he is building a super computer and a database "a thousand times more powerful" than anything he has developed yet.

It's a project that worries privacy-rights advocates and other critics. They wonder if Asher's real reason for donating some of his technology to government agencies is to get access to confidential data like firearms registries, tax information, even health records — information that could be a boon to businesses and an unprecedented intrusion into the lives of millions of Americans. [ Read more ... ]

Fishy Android apps may have been malware, says researcher: Via Computerworld Security News.

Dubious apps appear, then disappear, from Google's Android Market

Suspicious applications that may have stolen users' online banking credentials have appeared on the Android Market, the Google-run app store for its mobile operating system.

Although the potentially-malicious applications first appeared on Google's online mart in December, news of them went public only today as several outlets and security companies noticed warnings posted by banks and credit unions. Google has since removed the applications from the online market.

One of those financial institutions, BayPort Credit Union of Newport News, Va., posted its alert Dec. 22 about a rogue Android app that promised its members easy access to their online banking. "It is believed that fraudsters deployed fraudulent mobile banking applications to the Android Marketplace, using a phishing technique to attempt to gain access to mobile banking users financial information," said BayPort's warning.

First Tech Credit Union of Portland Ore. -- it also has branches in Salem and Eugene, Ore., as well as in the Seattle, Wash. area -- issued a similar warning the same day. [ Read more ... ]

FIPS 140-2 Level 2 Certified USB Memory Stick Cracked: Via Schneier on Security.

Kind of a dumb mistake:

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers' nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations -- and this is the case for all USB Flash drives of this type.

Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program's RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.

Nice piece of analysis work.

The article goes on to question the value of the FIPS certification: [ Read more ... ]

Web Censor Seeks $2.2 Billion for China Hack: Via Threat Level.

A California web-filtering company says it is the victim of “one of the largest cases of software piracy in history.”

Lawyers for adult- and violent-content web-filtering company CYBERsitter claim in a federal lawsuit that the Chinese government purloined some 3,000 lines of its code from its servers as part of software for a national censorship project –- in which several international computer makers are accused of knowingly distributing throughout China.

“They are heavy allegations. Three thousand lines of code, approximately, were stolen. It was a serious thing that was done,” Elliot Gipson, a lawyer for Santa Barbara-based CYBERsitter, said in a telephone interview Thursday.

Gipson said about 56 million copies of China’s government censorship software, part of the so-called Green Dam project, were marketed with his client’s code in China last year.

The complaint, which seeks $2.2 billion in damages, (.pdf)  names Sony, Lenovo Group, Toshiba, ACER and, among others, ASUSTeK. [ Read more ... ]

Large-scale attacks exploit unpatched PDF bug: Via Computerworld Cybercrime/Hacking News.

A week before Adobe is scheduled to patch a critical vulnerability in its popular PDF software, hackers are actively exploiting the bug with both targeted and large-scale attacks, a security researcher said today.

The SANS Institute's Internet Storm Center (ISC) reported Monday that they'd received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14. Later last month, Adobe said it would not patch the bug until Jan. 12. In his write-up of the sample, ISC analyst Bojan Zdrnja called the attack PDF "sophisticated" and its use of egg-hunt shellcode "sneaky."

"Egg-hunt shellcode" is a term for a multi-stage payload used when the hacker can't determine where in a process' address space the code will end up. [ Read more ... ]

Suricata Beta Available for Download!!: Via The Open Information Security Foundation.

It's been about three years in the making, but the day has finally come! We have the first release of the Suricata Engine! The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.

The OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members. 

The Suricata Engine and the HTP Library are available to use under the GPLv2. 

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. [ Read more ... ]

Underground Services Let Virus Writers Check Their Work: Via Threat Level.

I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

That pooling of intelligence on new threats also serves to make the free scanning services less attractive to virus authors, who would almost certainly like nothing more than to freely and simultaneously test the stealth of their new creations across a wide range of security software. Still, there is nothing to stop an enterprising hacker from purchasing a license for each of the anti-virus tools on the market and selling access to a separate scanning service that appeals to the virus-writing community.

Enter upstart file-scanning services like av-check.com and virtest.com, which bank on the guarantee that they won’t share your malware with the anti-virus community. [ Read more ... ]

Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack: Via Threat Level.

The two great friends talked every day and shared information about all of their exploits — sexual, narcotic and hacking — according to prosecutors. Now another thing they’ll have to share information about is their experience in federal prison.

While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his best friends and accomplices was sentenced on Tuesday in Boston to two years for his role in what the feds are calling “the largest identity theft in our nation’s history.”

Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX’s network. The breach cost TJX $200 million, according to its 2009 SEC filing. [ Read more ... ]