Hackers have done it again. The latest victim is Bitcoinica, the bitcoin exchange company forced to suspend operations after hackers walked away with 18,547 bitcoins worth about US$90,000 from its online wallet last Friday. Bitcoin is digital currency that users can exchange directly through a peer-to-peer model network, without depending on a central payment service.

The stolen bitcoins belonged to the exchange, not users, but the hackers nevertheless raided the company’s user database, compromising personal details such as the usernames, email addresses and account histories of its customers as well. Whether the hackers managed to get their hands on passwords, which were stored- encrypted, is not known. However, they can still launch phishing attacks targeted on the user.

Bitcoinica customers have more bad news coming. The company has agreed to honor the bitcoins but has ceased operations for the time being, which means that customers wanting to withdraw the bitcoins they have in their possession are in for a long wait until the issue is resolved. Bitcoinica plans to re-develop a new platform, so users are looking at months instead of days before they can encash their now worthless bitcoins. Needless to say, this attack has had a negative impact on the entire business of virtual currency, not just Bitcoinica.

Interestingly, Bitcoinica is not new to such attacks. It had lost 43,000 bitcoins last March when hackers compromised the servers of Linode, their web hosting provider. In this latest episode, the hackers’ modus operandi is not yet known, but the usual suspect is SQL injection that feeds on inherent code vulnerability.

Source: http://www.cio.com/article/706414/Hackers_Break_Into_Bitcoin_Exchange_Site_Bitcoinica_Steal_90_000_in_Bitcoins?taxonomyId=3089

In a series of attack reminiscent of the classic old-school type of attacks, hackers compromised more than 100 websites, most notably of U.K. Amnesty International, the world famous human rights watchdog organization. The hacking of the website of the Israeli Institute for National Security Studies earlier also has many similarities.

In all the instances, the attackers targeted the home page of the website to inject malicious code copied from Metasploit, an open source penetration testing framework. The injected code exploits a Java vulnerability styled CVE-2012-0507. Users who accessed the infected homepage would have their computers infected with Gh0st RAT, a remote access Trojan horse program that provides the hackers with full control over the documents, emails, passwords and other information contained in the compromised systems.

What is worse, Gh0st RAT has a low antivirus detection rate, for it is signed with a stolen yet valid digital certificate issued by VeriSign to a Chinese company.

The breach was discovered last week by the security firm Websense, whose automated malware scanners detected the compromise at the Amnesty International and other websites. This attack is incidentally a sequel of the Flashback malware attack that infected more than 600,000 Mac computers earlier this year.

Website owners would do well to patch the software used on their websites to prevent becoming inadvertent carriers of malware. Individual web users would similarly do well to update their browser plug-ins to safeguard against such drive by download exploits.
Source: http://www.cio.com/article/706266/Amnesty_International_39_s_UK_Website_Compromised_to_Infect_Visitors_with_Cyberspying_Malware?taxonomyId=3089

A recent study by Context Information Security, information security consultants, exposed security vulnerability in many cloud networks that allow customers to access remanant data left behind by other customers. The data unearthed by Context data existed in the unallocated portions of the disk, and included some personally identifiable information such as parts of customer databases, password hashes and more.

The issue lay in the way the cloud service providers in question provisioned new virtual servers and the manner of allocating new storage space.

On signing up with a cloud service provider, clients create new virtual servers by selecting an operating system and the storage space they require using the providers website. At the backend, the provider gathers disk space to contain the virtual image and then uses a preconfigured OS image to overwrite the start of the disk. What this means is that the initialized data fills only the start of the disk and the rest of the disk is never explicitly written on during the provisioning phase. This would not be a problem if such allocation is performed using the hosting operating system’s file APIs, for the OS would ensure the wipe-off of any uninitialized data. But the vulnerability comes into play when configuring hypervisors using preconfigured OS images.

The only saving grace perhaps is that such random data would not make sense to a normal user who stumbles upon it, and would benefit only someone specifically looking for it. Even then the data available would be at random, and not customer specific. Nevertheless, anyone who stumbles upon it could very well harvest it for altruistic gains.

The cloud providers caught up in Context’s study have since then fixed the vulnerability, but such vulnerability could very well exist with other providers outside the ambit of the study. The only effective solution as such is for clients to encrypt all data that has any value. A check on how the provider provisions and deprovisions hypervisors would also help.

Source: http://www.cio.com/article/706118/Is_Your_Cloud_Provider_Exposing_Remnants_of_Your_Data_?taxonomyId=3089

RTF (Rich Text Format) is generally considered as a panacea against malicious code as it does not contain macros, and conversion to RTF automatically deletes any macros on which the malware thrives. However, with cyber criminals getting more and more intuitive by the day, the latest threat comes in the form of booby-trapped RTF documents. Such documents are now ranked as amongst the most common ways by which hackers infect computers with advanced persistent threats (APTs), a form of intrusion by stealth with long term objectives.

RTF content comes either as a document with.rtf extension, or embedded into MS-Word. Hackers use the latter more often than the former, going by security researchers at Trend Micro’s estimates that 63 percent of malicious Microsoft Office documents exploited vulnerabilities in Microsoft Word. The most common exploits are identified as CVE-2010-3333 and CVE-2012-0158, two bugs related to Microsoft Word’s code for phrasing Rich Text Format content. Such vulnerabilities allow an enterprising cyber criminal to launch macros from RTF files through a link to the document directed to a remote hacker controlled website that contains the macro-virus infected template. The hacker can even make changes to the malware spawning macro at will. Another vulnerability, CVE-2012-0183, allows remote code execution.

What is however more disturbing is the fact that one of these vulnerabilities: CVE-2010-3333 is now two years old and patched by Microsoft, indicating that most users do not bother to update their Microsoft Office installations.
Source: http://www.cio.com/article/706123/APT_Attackers_Are_Increasingly_Using_Booby_trapped_RTF_Documents_Experts_Say?taxonomyId=3089

American water and energy utilities have off late come under massive attack from cyber criminals. While some attacks could be explained as general across-the-board increase in cyber attacks to gain sensitive business information, the specific and focused nature of attacks points a finger to subversion. Of the 17 recent incidents investigated by the ICS-CERT team that assists network and forensics analysis, 11 were sophisticated attacks orchestrated by professionals.

The modus operandi of the cyber criminals has mostly been spear phishing attacks and denial of service attacks targeted at the industrial control systems that operate the utilities.

The Department of Homeland Security (DHS)  is in touch with all major utilities players that use industrial control systems to help them remain equipped to withstand cyber attacks. It is also monitoring specific IP addresses.

However, their task is made difficult by the fact that most of the utilities that have come under attack do not deploy the basic network security apparatus required for corporate and industrial control systems. Most of the utilities still use older systems designed before the Internet era, making them vulnerable.

Inherent code flaws are another issue. Follow up investigations to the recent attack on the utility at Curran-Gardner water utility in Springfield revealed that while Curran-Gardner maintained an extensive collection of logs, the code base was written by a husband-and-wife team who were not professional coders and as such was rife with errors.

The saving grace perhaps is that to date, the attacks notwithstanding, there has not been a single attack that succeeded in disrupting electricity, water or gas supply on a major scale. However, as things stand, it is a disaster waiting to happen.

Source: http://www.networkworld.com/news/2012/040412-dhs-cyberattack-257946.html

Strategic alliances among companies, even when they remain direct competitors are commonplace, to offer common and non-differentiated services or comply with legal requirements. With the security landscape evolving and maturing, such alliances have started to come up in the network security industry as well. The US government has repeatedly stressed the need for greater information sharing among private networks and the government. Off late, many healthcare majors have joined hands for an industry-wide collaborative effort in combating cyber crime in the industry.

In what is seen as another new initiative in this direction, many organizations across the world have signed up to become members of the Red Sky Alliance, an exclusive online community that aims to protect members by identifying and neutralizing advanced threats that emancipate from organized cyber criminals.

In essence, Red Sky is a secure information sharing portal that facilitates collaboration among companies in matters related to information security. An organization sharing details on an attack or how it managed to contain or neutralize a malware would allow other members to take specific safeguards.

While information sharing is widely recognized as an effective means to thwart or contain the spread of cyber attacks, the potential implications of making public, trade secrets and sensitive company information that may come with such information make many organizations dither. By ensuring that the disclosed information remains exclusive to members and come with many safeguards, Red Sky allows companies to provide cyber intelligence without compromising their commercial interests.

With the signs for network security still ominous, such networks would become even stronger in the coming days.

Source: http://www.csoonline.com/article/705856/red-sky-alliance-an-experiment-in-information-sharing?page=2

Hackers and cyber criminals now seem to be focusing their energies on smartphones rather than traditional desktop PCs.

The information security coordinator at the California State University, San Bernardino, for instance, estimates 50,000 separate network attacks on its servers every week, with a good majority of such attacks targeting the Google Android or Apple iPhone smartphone of the students or faculty rather than the official website. The range of attacks targeted towards smartphones have now broadened in scope to include SQL injections, brute-force attacks, drive in downloads and much more. Such attack forms were mostly confined to traditional PCs until recently.

As if to confirm this trend, researchers by Lookout Mobile Security have unearthed hackers compromising multiple websites to launch a drive by download exploit that would deliver malicious software to smartphones. The malware would download automatically to the smartphones of unsuspecting visitors with outdated patches. The worm does no apparent damage to the smartphone itself, and rather uses it to gain illicit entry to the network to which the phone connects. This episode is the first discovery of cyber criminals using websites to compromise smart phones

Such a change in focus from the hackers partly owing to the rising popularity of smartphones, which is very often at the expense of traditional desktops and laptops, but mainly owing to the realization that smartphones have always been more susceptible to malware than traditional PCs, only that the matter went relatively unnoticed till recently. Moreover, many users jailbreak their smartphones, especially Apple iOS devices, and in the process eliminate the in-built security.
Source: http://www.cio.com/article/705825/iPhones_Android_Devices_Hot_Targets_Among_50_000_Network_Attacks_on_California_University?taxonomyId=3089

Hackers and cyber criminals now seem to be focusing their energies on smartphones rather than traditional desktop PCs.

The information security coordinator at the California State University, San Bernardino, for instance, estimates 50,000 separate network attacks on its servers every week, with a good majority of such attacks targeting the Google Android or Apple iPhone smartphone of the students or faculty rather than the official website. The range of attacks targeted towards smartphones have now broadened in scope to include SQL injections, brute-force attacks, drive in downloads and much more. Such attack forms were mostly confined to traditional PCs until recently.

As if to confirm this trend, researchers by Lookout Mobile Security have unearthed hackers compromising multiple websites to launch a drive by download exploit that would deliver malicious software to smartphones. The malware would download automatically to the smartphones of unsuspecting visitors with outdated patches. The worm does no apparent damage to the smartphone itself, and rather uses it to gain illicit entry to the network to which the phone connects. This episode is the first discovery of cyber criminals using websites to compromise smart phones

Such a change in focus from the hackers partly owing to the rising popularity of smartphones, which is very often at the expense of traditional desktops and laptops, but mainly owing to the realization that smartphones have always been more susceptible to malware than traditional PCs, only that the matter went relatively unnoticed till recently. Moreover, many users jailbreak their smartphones, especially Apple iOS devices, and in the process eliminate the in-built security.
Source: http://www.cio.com/article/705825/iPhones_Android_Devices_Hot_Targets_Among_50_000_Network_Attacks_on_California_University?taxonomyId=3089

Well, crime pays, at least when it comes to cyber crimes.

The Flashback malware that recently infected more than 600,000 Macs may have gone off the radar, but it is still generating over $10,000 a day for its masters.

The malware, having wormed its way to the Mac PC through a now patched up Java vulnerability makes money through click fraud. Google normally displays ads alongside search results. Flaskback.K loads an ad-clicking component into the web browser. This ad component redirects users to ads different from what the site normally shows, and then indulges in “ghost clicks” wherein the bot rather than the humans click on the ads. The fraudsters behind this endeavor, a.k.a. the owners of the Flashback Trojan receive kickbacks from intermediaries for each ad thus clicked.

To make the arithmetic more specific, a hijacked ad generates $0.008 per click. This means 1,000 “bot” clicks mean $8 for the hackers, 10,000 bot clicks $80, and so on. With 600,000 infected Macs, Symantec estimates a revenue of over $10,000 a day for the brain behind this scheme.

Although security majors such as Symantec have sinkholed the botnet, the revenue from the fraudulent ad-clicks remains active. The ad-clicking component of the malware communicates to a different set of command and control servers. The IP addresses of such C&C servers come hard-coded into the malware, and as such, security experts have not yet managed to breach and sinkhole such servers.

The only solace for the infected Mac users is that they themselves do not loose money, and in fact do not notice anything amiss unless they specifically seek out relevant ads in the webpages they visit. The perpetuators of Flashback.K make the money at Google’s and the advertiser’s expense, using the infected Mac PCs as unwitting accomplices.
Source: http://www.cio.com/article/705364/Flashback_Gang_Could_Be_Making_10K_a_Day_Off_Infected_Macs?taxonomyId=3089