$120 to decrypt your files (ransomware attack)

January 7th, 2011 by papaioan

According to researchers at SophosLabs hackers are trying to spread a new ransomware in order to extort $120. More specifically this ransomware encrypts media and Office files on victim’s computer. As a result victims cannot access these files (because they have been encrypted by the malicious code) until they pay the hackers.

It seems that this ransomware attack has hit many computers via a drive-by vulnerability on compromised websites. Many users reported that they have received the attack via a malicious PDF which downloads and installs the rensomware.

The attack changes the Windows desktop wallpaper to show the first part of the ransom message.

http://sophosnews.files.wordpress.com/2010/11/ransomware-wallpaper.jpg

The “HOW TO DECRYPT” txt-file on the desktop contains the message:

Attention!!!

All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

The above message contains an email address to contact if the victim wants to recover the encrypted data. Moreover it contains a fingerprint hex-string which changes between runs. It is used as a unique victim id and it must be quoted when victim contacts the hackers.

File types which can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.

Tags: , , ,
Posted in security news | No Comments »

Top 10 security threats for 2011

January 7th, 2011 by tsikudis

Imperva announced their Top 10 Security Threats for 2011, which include:

1. Nation-sponsored hacking: Advanced technological threats (hacker industry and APT) from hackers who are funded by a government, like Stuxnet.
2. Insider Threats: A company may be threatened by an employee – hacker, or a hacker outside the workplace, who owns a employee’s profile. Access Control will be a key factor in neutralizing this threat.
3. Man in the Browser Attacks: Similar to the “man-in-the-middle” attacks, where a trojan is used to interrupt the communication between the browser and security mechanisms or libraries. The main purpose is to cause a financial scam in control transactions through the Internet, even if authentication operates well.
4. Misanthropes and anti-socials: Privacy vs. security in social networks: In 2011, popular social networks and tools will make more efforts into security over privacy. This is not the result of resolving privacy issues, but rather an understanding of the real threats to the existence and spread of social networks.
5. Data Loss: All the data we collect on everything needs to be locked down.
6. Cloud Security: Including computer security, network security, information security. References to a wide range of principles, technologies and controls designed to protect data, applications and related infrastructure of cloud computing.
7. Mobile Devices: Τhe mobile internet, online applications, which are usually technologically complex, make mobile devices vulnerable to threats.
8. Hackers and Criminal Networks: The “hacker industry” invests more resources in the attack techniques and detection evasion.
9. Consolidation: Cyber security has become a business process and can not be separated from the business operations.
10. Regulation: Convergence of data security and privacy regulation worldwide as governments tighten the legal screws on enterprises.

Source: http://www.net-security.org/secworld.php?id=10154

Posted in security news | No Comments »

Operation Avenge Assange

January 7th, 2011 by zakkak

The last few days wikileaks has been one of the hottest topics of the Internet world.

After WikiLeaks released a secret cable listing sites worldwide, that the U.S. considers critical to its national security,  it was targeted by DDoS attacks.
A few days later Julian Assagne was accused for the rape of two Swedish women. Many people think that both the DDoS attacks and the rape accusation are coordinated by the U.S.  In addition U.S. government persuaded Paypal to stop taking payments from wikileaks. While visa and MasterCard also stopped accepting payments from wikileaks.

All the above facts made many people suspicious and worried about the freedom of speech in the World Wide Web. As a result the Operation Payback group is targeting principals it considers responsible for the wikileaks hunt and Assagne’s (fake!?) rape case.

Since today the following websites has been attacked:

PostFinance postfinance.ch 2010-12-06
Swedish Prosecution Authority aklagare.se 2010-12-07
EveryDNS everydns.com 2010-12-07
Joseph Lieberman lieberman.senate.gov 2010-12-08
MasterCard mastercard.com 2010-12-08 10:30 UTC
Borgstrom and Bostrom advbyra.se 2010-12-08
BILD (not confirmed) bild.de 2010-12-08 19:30 UTC
Visa visa.com 2010-12-08 21:00 UTC
Sarah Palin sarahpac.com 2010-12-08
Paypal paypal.com 2010-12-09 02:50 UTC
Amazon amazon.com 2010-12-09 23:00 UTC

Those attacks are made using a “voluntary” bot-net. Users can join the bot-net with their PC using a modified version of the Low Orbit Ion Cannon (LOIC). Actually running this modified LOIC makes your PC a bot of the bot-net and (rumors say) 10 hacktivists (probably the coordinators) set the bot-net to target a site.  The site to be targeted is chosen after conversations in irc://irc.anonops.net at channel #OperationPayback. Any user disagreeing with an attack can log out from the bot-net at any time.


Tags: , , , , , , ,
Posted in Uncategorized | No Comments »

Popular web sites are stealing browser histories

December 7th, 2010 by tsikudis

Some of the most popular web sites are exploiting a flaw to gain access to read browser’s Web history, according to researchers at University of California, San Diego. Their study tracked the the 50,000 most popular websites and found that 485 sites are exploiting the history-sniffing flaw, and 46 of those sites are actively downloading browser history, including youporn.com, gamesfreak.com, newsmax.com, morningstar.com and espnf1.com.

History sniffing called the combination of JavaScript and Cascading Style Sheet (CSS) properties that enables the sites to figure out where a user has been on the Web by changing the color of the links that the user has visited. The researchers’ findings are published in a new study entitled “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.”

According to the researcher’s, about 18, such as Gamestorrents.com, are using the exploit to analyze a user’s past visits to more than 220 sites. YouPorn.com, an amateur porn site and one of the 100 most visited sites on the Web, analyzes the browsing history for more than 21 sites, encoding its JavaScript to hide the sites it searches for and decodes it only when used, to cover its tracks.

The widely known vulnerability that these sites exploit exists in all production version browsers except of Apple’s Safari, which first detected the threat. Google Chrome and Mozilla Firefox soon followed. Internet Explorer may also defend against this attack if browser is used in private browsing mode. Production versions of those browsers are still wide open.

The study also detected sites maintained by Microsoft, YouTube, Yahoo and About.com that employ JavaScript tracking mouse movements on a page to detect what a user does after visiting it.

Posted in security news | No Comments »

The man behind Mega-D botnet arrested

December 7th, 2010 by papaioan

Last week FBI has arrested the man that is believed to be behind the Mega-D botnet, one of the most renowned botnets, that was supposed to cause one third of total worldwide spam on the internet at a time. The name of the man is Oleg Nikolaenko, a Russian who was arrested at his last visit in the United States of America.

The first clue that Nikolaenko was behind Mega-D was given since a fake Rolex dealer, Jody Smith, was arrested. After Jody Smith, FBI arrested Lance Atkinson, an Australian fake medicine dealer who admitted he paid nearly half a million dollars to a third party known only as “Docent” for spam advertising. It is claimed that Oleg Nikolaenko took millions of dollars from companies looking to advertise fake products like fake Rolexes. After investigation agents found email accounts involved in the payment chain belong to Nikolaenko. In one of these Nikolaenko had the necessary command and control files for the Mega-D botnet.

Nikolaenko is supposed to run Mega-D since 2007. Mega-D spam has been reduced over the last months, and its servers are found non-responsive, but this has happened due to large interest of researchers and authorities.

Finally FBI arrested Nikolaenko at the Speciality Equipment Market Association (SEMA) car exhibition in Las Vegas for offences under the CAN-SPAM Act.

Tags: , ,
Posted in Uncategorized | No Comments »

Zero-day flaw bypasses Windows UAC

November 28th, 2010 by zakkak

A new vulnerability in the Windows kernel was disclosed this Wednesday(11-24-2010) that could allow malware to attain administrative privileges by bypassing User Account Control (UAC).

A zero-day exploit in Microsoft Windows enables non-administrator accounts to execute code as if they were an administrator. The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems.

A bug in win32k.sys, which is part of the Windows kernel, seems to be responsible for this exploit. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

This exploit does not allow remote code execution (RCE). Thus, malicious code that uses the exploit needs to be introduced. So your anti-virus system should be able to block those payloads and keep you safe.

source

Tags: , , , ,
Posted in security news | No Comments »

HDCP Cracked !(?)

November 28th, 2010 by Thanos Yannopoulos

HDCP is a content protection scheme designed to eliminate the possibility of intercepting encrypted high definition digital data midstream between the source and the display, developed by Intel Corp. It prevents copying of digital audio and video content as it travels across the DisplayPort, DVI, HDMI, GVIF or UDI etc. connections. HDCP uses a three-stage protection process:

  • Device Authentication and Key Exchange
  • Encryption of Content
  • Key-revocation procedures

In 2001, before the HDCP deployed in any commercial product, a paper revealing cryptanalysis flaws published. According to this paper the linear key exchange is a fundamental weakness and the key swap can break with conspiracy attack (obtaining keys of 39 devices and reconstructing the secret master matrix).

On September 14th 2010, hackers posted in pastebin a HDCP Master Key! The key that protects million of devices and media contents, such as Blu-ray, against redistribution. After 2 days, Intel confirms the authenticity of the key and a few days later a programming group releases an open-source C implementation of the HDCP encryption/decryption algorithm, not very efficient as HDCP designed for hardware, which works and verifies that the leaked key is correct.

But,is this the end of HDCP ?

What we can really do with this master key is to derive keys for devices that do work with the keys produced by Intel’s security technology. Also, theoretically, a nefarious user can capture,decrypt and reproduce media travelling across HDMI cables from one device to another. But the most realistic scenario is to build ‘fake’ devices without Intel’s fees and standards. For example a China’s manufactory can produce Blu-Ray players or repeaters-recorders, capable of connecting in genuine HD-TVs , using the leaked master key, without any aprovement from Intel. Intel on the other hand, declares that need a lot of experience and money to accomplish that and in combination with legal threats against possible frauds HDCP remains and effective component for protecting digital entertainment.

Tags: , , ,
Posted in security news, Uncategorized | No Comments »

Analysis of Android Froyo uncovers 88 flaws exposing users’ data

November 28th, 2010 by zakkak

A study by Coverity unveils 88 flaws exposing users’ data. The study examined the publicly disclosed version of the Android kernel. Among the discovered defects in Android there where memory corruptions, memory illegal accesses and resource leaks. All mentioned defects are considered high-risk.
Coverity said it won’t release details until January. This way it allows Google and handset vendors to issue fixes.
While Android is the OS of about 26% of the smart-phones worldwide[2] and  companies are supplying their employees with smart-phones for mixed business and personal use, malicious software could be deployed to extract informations from companies.

[1] http://www.coverity.com/library/pdf/coverity-scan-2010-open-source-integrity-report.pdf

[2] http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Mobile_devices

Tags: , , , ,
Posted in security news | No Comments »

Zynga sued for sharing Facebook User IDS to advertizers and data brokers

October 24th, 2010 by tsikudis

The largest Facebook games developer has been hit by a fundamental lawsuit for leaking the personal information of 218 million Facebook members to third parties.

Only days have passed since The Wall Street Journal investigated that a large number of Facebooks apps – including Zynga games such as Farmville and Mafia Wars  – leaked the user IDs of Facebook players and their friends to outside companies.

User IDs are unique identifiers, which can be used to access a user’s Facebook profile by simply going to http://www.facebook.com/#!/profile.php?id=[UID].

The actual harm that might be done if a user’s Facebook ID is exposed is debatable so Zynga representatives called the lawsuit without merit and stressed that they are preparing a strong defense, according to The Register.

The Facebook social network prohibits the sharing of user IDs with data brokers in its privacy policies and in order to assuage the critics following this privacy breaches is planning to encrypt the user IDs.

Tags: , ,
Posted in security news | No Comments »

3rd Summer School on Network and Information Security (NIS’10)

August 6th, 2010 by Manolis Stamatogiannakis

13-17 September 2010, Heraklion, Crete, Greece

Call for Participation

The European Network and Information Security Agency (ENISA) and the Institute of Computer Science (ICS) of the Foundation for Research and Technology – Hellas (FORTH) invite you to the jointly organised 3rd ENISA-FORTH Summer School on Network and Information Security (NIS’10).

The “Future Internet” promises an exciting new world of services and capabilities: Devices that will  automatically exchange information to facilitate users, services that transparently and seamlessly combine information from different and multiple sources, protocols and systems that are able to handle complex interactions. At the same time, however, concerns about privacy and security increase for individuals, organizations, and the society in general. This gives rise to a number of question such as where should responsibility be placed and how should solutions be enforced and verified in a world of complex infrastructures and services?

Following the success of NIS’08 and NIS’09, the 3rd edition of the Summer School on Network and Information Security (NIS’10) will cover topics that address legal, technical, and policy issues in this emerging world. The Summer School aims to provide a forum for experts in Information Security, policy makers from EU Member States and EU Institutions, decision makers from the industry, as well as members of the research and academic community, for interacting on cuttingedge and interesting topics in NIS.

Keynote Speakers

  • Dr. Jorgo Chatzimarkakis, Member of the European Parliament, EU
  • Dr. Silvia Adriana Ticau, Member of the European Parliament, EU
  • Mr. Mario Campolargo, Director of the Emerging Technologies and Infrastructures, DG INFSO, European Commission, EU
  • Mr. Bruce Schneier, Chief Security Technology Officer of BT, UK
  • Mr. Mikko Hypponen, Chief Research Officer, F-Secure, FI
  • Mr. Peter Hustinx, Supervisor, European Data Protection Supervisor, EU

Steering Committee

  • Dr. Udo Helmbrecht, Executive Director of ENISA, EU
  • Prof. Constantine Stephanidis, Director of FORTH-ICS, GR, Member of ENISA Management Board

Venue

NIS’10 will take place in Hersonissos, Crete, Greece. Hersonissos is a small town approximately 30km from Heraklion and its airport. For instructions of how to get to the conference venue, please visit the travel information section on the NIS web page. The venue of the Summer School is Aldemar Knossos Royal Village. Aldemar Knossos Royal Village hotel is a magnificent resort located on the north coast of the island of Crete in Hersonissos.

Online resources

Posted in Uncategorized | No Comments »

« Older Entries
Newer Entries »