For the second time in four months, Monster.com’s website has been victimized by hackers. The latest attack, believed caused by an IFRAME injection vulnerability, forced the jobs website to take part of its web presence offline Monday. The outage impacted much of the Monster Company Boulevard, where job hunters search for positions by company. Businesses involved in the attack include Eddie Bauer, GMAC Mortgage, Best Buy, Toyota Financial Services, and Tri Counties Bank, said Roger Thompson, chief technology officer at Exploit Prevention Labs, one of the early detectors of the attack.
Monster was hit by an IFRAME that linked out to a site that was throwing exploits at users, Thompson told SCMagazineUS.com. The attack, which likely took advantage of a cross-site scripting vulnerability, likely was created using Neosploit, a hacking toolkit similar to Mpack.
“It’s not clear exactly what exploits these are yet, because they infect the user’s PC wrapped inside a new form of encryption that we haven’t been able to see inside yet,” Thompson said.
Windows users whose PCs are patched as of April 2007 are safe from the exploit, he said.
“[It] probably caught corporate users more than anyone,” he added. “Corporate users tend not to patch as readily, while consumers tend to turn on auto patching.”
It is unclear who perpetrated the attack, but the Russian Business Network – an internet service provider said to offer “bulletproof” web hosting, often allegedly to criminal groups – is a prime suspect.
Monster, in a statement, said it did not believe the malicious code attack affected many users.
“The malware was designed to make computers running it part of a spamming network,” the statement said. “The virus is detectable by most major anti-virus software, and this issue should not affect users running Windows with the most recent security updates from Microsoft. In addition, we believe only an extremely small percentage of those using the site this week were potentially exposed prior to those pages being cleaned.”
Monster also made news in August, when it said that hackers had penetrated its database and stolen personal information of job hunters. They then used that information to send targeted emails with fraudulent job postings, or attempted to deceive recipients into downloading malicious software.
Friday, January 4, 2008
Hacker created 250,000-strong botnet army
A hacker faces 60 years in prison and a $1.75m fine after pleading guilty to infecting hundreds of thousands of computers with malware in order to steal money from Paypal accounts. John Schiefer, 26, admitted that he and some associates developed malware that allowed them to create botnet armies of as many as 250,000 computers. Schiefer was able to collect information sent from the infected computers, including usernames and passwords for Paypal accounts. He and his associates were then able to make purchases using the Paypal accounts. They also shared the password information with others.
This is the first prosecution of a hacker for this type of activity, according to the US Attorney’s Office for the Central District of California. The Federal Bureau of Investigation pursued the case.
Schiefer says he also found Paypal usernames and passwords using malware that could access usernames filed in a secure storage area on the computers. The malware would send that information to Schiefer, who used it to access the accounts.
Schiefer also acknowledged fraudulently earning more than $19,000 from a Dutch internet advertising agency that hired him as a consultant. He was supposed to install the company’s programs on computers after receiving consent from computer owners. Instead, he and his associates installed it on 150,000 computers that were infected with his malware.
Schiefer is scheduled to appear in the US District Court in Los Angeles on November 28 and be arraigned on December 3.
This is the first prosecution of a hacker for this type of activity, according to the US Attorney’s Office for the Central District of California. The Federal Bureau of Investigation pursued the case.
Schiefer says he also found Paypal usernames and passwords using malware that could access usernames filed in a secure storage area on the computers. The malware would send that information to Schiefer, who used it to access the accounts.
Schiefer also acknowledged fraudulently earning more than $19,000 from a Dutch internet advertising agency that hired him as a consultant. He was supposed to install the company’s programs on computers after receiving consent from computer owners. Instead, he and his associates installed it on 150,000 computers that were infected with his malware.
Schiefer is scheduled to appear in the US District Court in Los Angeles on November 28 and be arraigned on December 3.
US Security: NSA Hacks. DHS Spams!
Recent reports point out that the United States National Security Agency will get back at any hacker trying to mess up their systems. Also, it is a known fact that they hack their way into different communication networks to wiretap – they’re just monitoring any possible terrorist conversation. Now, these are just security measures, and though the second is violating privacy, they can’t be called something bad.
However, things are different when it comes to the Department of Homeland Security. The people in their IT department seem to be lacking some skill. As the Register informs, a botched up attempt for one subscriber to change the e-mail address that he was using to receive messages caused a storm in the DHS mailing list, yesterday.
What happened is that instead of sending the message just to the administrators, he clicked on the wrong button. Unfortunately, that button was labeled “reply to all”, and as you’ve probably figured out by now, all the people subscribed to that particular report got his request. A lot of messages continued afterwards, all being sent to the full list of subscribers via what was supposed to be a DHS report service.
Is it normal for people in charge of a country’s security to be this sloppy? A moderated mailing system would have made such a mess virtually impossible, but it seems that they never cared about this. Users that don’t care about security are something we’ve all gotten used to, but to see that even such a great organization doesn’t give a damn about their mailing system is somewhat disturbing.
This also led to the disclosure of the e-mail addresses of the members in the list, as the Register pointed out. I doubt that anyone with malicious intentions was amongst those people, but one could have exploited this in a malicious way. Some problems pop up, just because small matters are not taken into consideration!
However, things are different when it comes to the Department of Homeland Security. The people in their IT department seem to be lacking some skill. As the Register informs, a botched up attempt for one subscriber to change the e-mail address that he was using to receive messages caused a storm in the DHS mailing list, yesterday.
What happened is that instead of sending the message just to the administrators, he clicked on the wrong button. Unfortunately, that button was labeled “reply to all”, and as you’ve probably figured out by now, all the people subscribed to that particular report got his request. A lot of messages continued afterwards, all being sent to the full list of subscribers via what was supposed to be a DHS report service.
Is it normal for people in charge of a country’s security to be this sloppy? A moderated mailing system would have made such a mess virtually impossible, but it seems that they never cared about this. Users that don’t care about security are something we’ve all gotten used to, but to see that even such a great organization doesn’t give a damn about their mailing system is somewhat disturbing.
This also led to the disclosure of the e-mail addresses of the members in the list, as the Register pointed out. I doubt that anyone with malicious intentions was amongst those people, but one could have exploited this in a malicious way. Some problems pop up, just because small matters are not taken into consideration!
Chilean presidency Web page hacked.......!
SANTIAGO, Chile (AP) A hacker broke into the Web page of Chile’s presidency and planted the flag of neighboring Peru, leaving the site inoperable for about 18 hours until it was restored Monday. The intruder left a message - “Long live Peru,” followed by an expletive - as well as the flag around midday Sunday. Officials took the site down a few minutes later, leaving a notice: “Because we want to give a better service, we are working for you.”
The site was restored Monday morning.
Carlos Portales, political director of the Chilean foreign ministry, said the incident is being investigated.
“It has happened with other Web pages, including some from the United States government, the Vatican,” Portales told reporters.
The Santiago daily El Mercurio on Monday reported that officials believe the hacker was a Peruvian.
While Chile and Peru have generally friendly relations, tension sporadically breaks out over the aftermath of two 19th century wars between the countries and a dispute over maritime boundaries has been developing.
The Web page carried information about activities of President Michelle Bachelet and about the upcoming Ibero American Summit for leaders from throughout Latin America, Spain and Portugal. Portales said the incident does not appear related to the summit.
The site was restored Monday morning.
Carlos Portales, political director of the Chilean foreign ministry, said the incident is being investigated.
“It has happened with other Web pages, including some from the United States government, the Vatican,” Portales told reporters.
The Santiago daily El Mercurio on Monday reported that officials believe the hacker was a Peruvian.
While Chile and Peru have generally friendly relations, tension sporadically breaks out over the aftermath of two 19th century wars between the countries and a dispute over maritime boundaries has been developing.
The Web page carried information about activities of President Michelle Bachelet and about the upcoming Ibero American Summit for leaders from throughout Latin America, Spain and Portugal. Portales said the incident does not appear related to the summit.
Hacker uses public APIs to breach eBay
eBay has begun an audit of its IT systems after a hacker managed to access and disable user accounts. The company said last week that the hacker exploited public application programming interfaces (APIs) that enable merchants to build e-commerce sites on top of eBay. “This fraudster found very old administrative interfaces into the eBay system that had not been deactivated when we changed the security of our internal systems several years ago,” a member of the company’s trust and safety division said in a posting on an eBay blog.
Hackers crawling over the web
The web is getting bigger, but also more dangerous. In the early days, it was like the Wild West – there were dangers out there, but if companies kept their wits about them and knew the basics of self-defence, they could get by.
Not anymore. Security experts are already looking back on 2006 as the year that web threats matured and became increasingly sophisticated. It was a year in which organised cyber criminals increasingly turned their attention away from email towards web traffic as their target of choice.
Last year saw an aggressive rise in web attacks. According to ScanSafe’s Annual Global Threat Report, spyware increased by 254 per cent in 2006, eclipsing email threats for the first time. The boundaries between spyware, adware and viruses have become blurred and criminals are now targeting multiple internet platforms with more focused, financially-oriented attacks.
For many malware authors, their motives have shifted from a desire to show off their technical prowess or create anarchy, to a greed-driven search for money. In 2006, over 65 per cent of web virus payloads were intended to achieve some direct financial benefit.
Last year also saw web 2.0 increasingly under siege, with hackers targeting social networking sites, chat rooms, popular search engine results and instant messaging.
The sheer scale of these threats has taken many corporate IT departments by surprise, as they grapple with balancing security and liability concerns with the realisation that the web is a mission-critical business communications tool.
The clear message is that businesses can no longer rely solely on traditional IT security solutions on the desktop or corporate network. Anti-virus software, firewalls and intrusion protection systems are valuable shields, but they are not impervious to today’s socially engineered, pernicious web threats.
IT departments are already taking action. Many companies have had help in scanning and filtering email traffic for some years. Now they are looking for help with their web traffic.
According to a recent survey of companies that already buy in managed IT services, 2007 will see a focus on security. The study from the Computing Technology Industry Association found that 33 per cent planned to increase their spending on managed security services. The reasons they gave are the traditional ones – the lack of in-house skills, more cost-effective and it enables them to concentrate on their core competencies.
These findings are backed by another recent report from industry analyst group Frost & Sullivan. It sees the managed security services market in EMEA soaring from $81.7m in 2005 to $603.7m in 2012.
If this suggests that the next five years will be a challenging, but rewarding period for web security-as-a-service providers, it also means plenty of opportunities for channel partners.
IT departments are finding that managed web security services are scaleable, flexible, have a lower total cost of ownership compared to hardware and software solutions and free up valuable network bandwidth. In fact, most customers report a 30-40 per cent saving over on-premise solutions.
For the channel, web security-as-a-service offers quick entry into the lucrative managed services security market. Because it doesn’t require investment – in development, infrastructure or hardware – it also provides a painless way for resellers to add web security to their portfolio of solutions.
Managed services also offer recurring revenue for channel partners, which is especially appealing given the declining margins of premise-based solutions. Hardware and software web security solutions have attained a certain maturity in their lifecycle and saturation in the marketplace. As a result, the margins on hardware and software solutions have steadily declined. This is not the case with web security-as-a-service, a relatively new offering with wide appeal across industry verticals and among SME businesses as well as larger enterprise accounts.
The net result for channel partners is that managed security services help boost gross margins and offer an easier, more cost effective way for customers to conquer web-based threats.
Not anymore. Security experts are already looking back on 2006 as the year that web threats matured and became increasingly sophisticated. It was a year in which organised cyber criminals increasingly turned their attention away from email towards web traffic as their target of choice.
Last year saw an aggressive rise in web attacks. According to ScanSafe’s Annual Global Threat Report, spyware increased by 254 per cent in 2006, eclipsing email threats for the first time. The boundaries between spyware, adware and viruses have become blurred and criminals are now targeting multiple internet platforms with more focused, financially-oriented attacks.
For many malware authors, their motives have shifted from a desire to show off their technical prowess or create anarchy, to a greed-driven search for money. In 2006, over 65 per cent of web virus payloads were intended to achieve some direct financial benefit.
Last year also saw web 2.0 increasingly under siege, with hackers targeting social networking sites, chat rooms, popular search engine results and instant messaging.
The sheer scale of these threats has taken many corporate IT departments by surprise, as they grapple with balancing security and liability concerns with the realisation that the web is a mission-critical business communications tool.
The clear message is that businesses can no longer rely solely on traditional IT security solutions on the desktop or corporate network. Anti-virus software, firewalls and intrusion protection systems are valuable shields, but they are not impervious to today’s socially engineered, pernicious web threats.
IT departments are already taking action. Many companies have had help in scanning and filtering email traffic for some years. Now they are looking for help with their web traffic.
According to a recent survey of companies that already buy in managed IT services, 2007 will see a focus on security. The study from the Computing Technology Industry Association found that 33 per cent planned to increase their spending on managed security services. The reasons they gave are the traditional ones – the lack of in-house skills, more cost-effective and it enables them to concentrate on their core competencies.
These findings are backed by another recent report from industry analyst group Frost & Sullivan. It sees the managed security services market in EMEA soaring from $81.7m in 2005 to $603.7m in 2012.
If this suggests that the next five years will be a challenging, but rewarding period for web security-as-a-service providers, it also means plenty of opportunities for channel partners.
IT departments are finding that managed web security services are scaleable, flexible, have a lower total cost of ownership compared to hardware and software solutions and free up valuable network bandwidth. In fact, most customers report a 30-40 per cent saving over on-premise solutions.
For the channel, web security-as-a-service offers quick entry into the lucrative managed services security market. Because it doesn’t require investment – in development, infrastructure or hardware – it also provides a painless way for resellers to add web security to their portfolio of solutions.
Managed services also offer recurring revenue for channel partners, which is especially appealing given the declining margins of premise-based solutions. Hardware and software web security solutions have attained a certain maturity in their lifecycle and saturation in the marketplace. As a result, the margins on hardware and software solutions have steadily declined. This is not the case with web security-as-a-service, a relatively new offering with wide appeal across industry verticals and among SME businesses as well as larger enterprise accounts.
The net result for channel partners is that managed security services help boost gross margins and offer an easier, more cost effective way for customers to conquer web-based threats.
VoIP gets hacked
Have you jumped on the VoIP bandwagon? Secure? Think again as US hacker is jailed for 2 years after breaching security at 15 separate telcos with ‘incredible ease’
‘Evil’ Techie genius Robert Moore has recently been jailed in the US after exposing tremendous flaws in tens of telcos IT infrastructures stating it was ‘incredibly easy’ because of basic IT security mistakes.
His global hacking spree was targeted at telcos and corporations aiming to allegedly steal voice over IP services and sell them through a company he was working for.
“It’s so easy. It’s so easy a caveman can do it,” he laughed.
“When you’ve got that many computers at your fingertips, you’d be surprised how many are insecure.”
It has been reported that he stole 10 million minutes of service and re-sold them at discounted rates, netting more than $1 million from the scheme although only receiving $20,000 personally for his efforts.
AT&T reported at the trial that Moore ran 6 million scans on its network alone, aliases have been used for the other companies that were successfully targeted in an attempt to sure up confidence in their services.
One small telco went out of business because of expenses the company incurred due to the amount of traffic Moore was responsible for diverting through their network.
Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure.
The biggest insecurity? Default passwords.
“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had [Removed] or [Removed] as passwords on them.
We found the default password for it, and basically we could get in almost every time. Then we’d have all sorts of information, basically the whole database, right at our fingertips.”
Time to do a free security check on all your clients servers?
‘Evil’ Techie genius Robert Moore has recently been jailed in the US after exposing tremendous flaws in tens of telcos IT infrastructures stating it was ‘incredibly easy’ because of basic IT security mistakes.
His global hacking spree was targeted at telcos and corporations aiming to allegedly steal voice over IP services and sell them through a company he was working for.
“It’s so easy. It’s so easy a caveman can do it,” he laughed.
“When you’ve got that many computers at your fingertips, you’d be surprised how many are insecure.”
It has been reported that he stole 10 million minutes of service and re-sold them at discounted rates, netting more than $1 million from the scheme although only receiving $20,000 personally for his efforts.
AT&T reported at the trial that Moore ran 6 million scans on its network alone, aliases have been used for the other companies that were successfully targeted in an attempt to sure up confidence in their services.
One small telco went out of business because of expenses the company incurred due to the amount of traffic Moore was responsible for diverting through their network.
Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure.
The biggest insecurity? Default passwords.
“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had [Removed] or [Removed] as passwords on them.
We found the default password for it, and basically we could get in almost every time. Then we’d have all sorts of information, basically the whole database, right at our fingertips.”
Time to do a free security check on all your clients servers?
Subscribe to:
Posts (Atom)