May 292013


Attackers are exploiting an extremely critical vulnerability in the Ruby on Rails framework to commandeer servers and make them part of a malicious network of hacked machines, a security researcher said.

Ars first warned of the threat in early January, shortly after Rails maintainers issued a patch for the vulnerability. Ars warned at the time that the vulnerability gave attackers the ability to remotely execute malicious code on underlying servers. Criminals’ success in exploiting the bug to make vulnerable machines join a botnet suggests that many server administrators still haven’t installed the critical update more than four months after it was issued.

Servers that have been exploited are infected with software that caused them to join an Internet Relay Chat (IRC) channel on one of at least two servers, security researcher Jeff Jarmoc said in a post published Tuesday to his personal website. Attackers can force servers to download and execute malicious code and join new IRC channels from there.

MORE:   Critical Ruby on Rails bug exploited in wild, hacked servers join botnet | Ars Technica.




May 202013


Three months after hackers working for a cyberunit of China’s People’s Liberation Army went silent amid evidence that they had stolen data from scores of American companies and government agencies, they appear to have resumed their attacks  using different techniques, according to computer industry security experts and American officials.

The Obama administration had bet that “naming and shaming” the groups, first in industry reports and then in the Pentagon’s own detailed survey of Chinese military capabilities, might prompt China’s new leadership to crack down on the military’s highly organized team of hackers — or at least urge them to become more subtle.

But Unit 61398, whose well-guarded 12-story white headquarters on the edges of Shanghai became the symbol of Chinese cyberpower, is back in business, according to American officials and security companies.

MORE:   Chinese Hackers Resume Attacks on U.S. Targets –




May 082013


Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

“This is the first time I’ve seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx,” Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars. “Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users computers.”

Previously, Cdorked was known to infect only sites that ran on Apache, which remains by far the Internet’s most popular Web server application.

MORE: Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too | Ars Technica.




Mar 132013


Google has launched a page and a set of tutorials aimed for webmasters whose site was hacked.

Specifically, Google explains webmasters how to deal with Google’s search warning that a site is dangerous, which usually appears if a hacker has infected the site with harmful code.

“Every day, cybercriminals compromise thousands of websites. Hacks are often invisible to users, yet remain harmful to anyone viewing the page — including the site owner,” claims Google on the site titled “Webmasters help for hacked sites.”

via Google Offers Help to Webmasters Whose Sites Were Hacked.



Mar 052013


Security experts are criticizing online note-syncing service Evernote, saying the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets.

The scrutiny of Evernote’s security comes two days after Evernote officials disclosed a breach that exposed names, e-mail addresses, and password data for the service’s 50 million end users. Evernote blog posts published over the past few years show that the company protects passwords and sensitive user data with encryption algorithms and schemes that contain known weaknesses. That is prompting criticism that the company’s security team isn’t doing enough to protect its customers in the event that hackers are able to successfully compromise the servers or end-user phones.

The chief complaint involves Evernote’s use of the MD5 cryptographic algorithm to convert user passwords into one-way hashes before storing them in a database. Use of MD5 to store passwords has long been frowned on by security experts because the algorithm is an extremely fast and computationally inexpensive way to convert plaintext such as “password” into a unique string of characters such as “5f4dcc3b5aa765d61d8327deb882cf99.” MD5 makes an attacker’s job of cracking the hashes much easier by allowing billions of guesses per second, even on computers of relatively modest means.

By comparison, the use of slow algorithms such as bcrypt, which Twitter uses to protect its passwords, adds considerable time and computing requirements to the task of converting the hashes into the underlying plaintext passwords. Even when hashes are generated using cryptographic salt to add randomness—as Evernote says it does—MD5 is still considered a poor choice.

READ MORE:  Critics: Substandard crypto needlessly puts Evernote accounts at risk | Ars Technica.




Mar 052013


Some say we’re living in a “post-PC” world, but malware on PCs is still a major problem for home computer users and businesses.

The examples are everywhere: In November, we reported that malware was used to steal information about one of Japan’s newest rockets and upload it to computers controlled by hackers. Critical systems at two US power plants were recently found infected with malware spread by USB drives. Malware known as “Dexter” stole credit card data from point-of-sale terminals at businesses. And espionage-motivated computer threats are getting more sophisticated and versatile all the time.

In this second installment in the Ars Guide to Online Security, we’ll cover the basics for those who may not be familiar with the different types of malware that can affect computers. Malware comes in a variety of types, including viruses, worms, and Trojans.

Viruses are programs that can replicate themselves in order to spread from computer to computer, while targeting each PC by deleting data or stealing information. They can also change the computer’s behavior in some way.

“Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program,” Cisco notes. “When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments.”

READ MORE:  Viruses, Trojans, and worms, oh my: The basics on malware | Ars Technica.




Feb 112013


The U.S. is under attack, a recently released national security document has claimed.

China is the top cyberthreat to the U.S., the National Intelligence Estimate (NIE) claims, according to the Washington Post, which obtained information related to the report from unidentified individuals. The NIE, which comes from all U.S. intelligence agencies, says that China has been intensifying attacks on U.S. businesses to identify data that will help the country gain economically, according to the Post.

Over the past five years, the Chinese have focused their efforts on businesses operating in finance, technology, and aerospace, among others, according to the Post.

MORE:  U.S. target of sustained cyber-espionage campaign | Security & Privacy – CNET News.




Nov 192012

Some simple housekeeping can make a world of difference to the likelihood of your site getting hacked. Kim Crawley has the tricks

WordPress is the most popular content management system (CMS) on the web. Developed with PHP, and powered by mySQL databases, WordPress is used by an astonishing 8.5 per cent of all websites. Web-delivered malware and website cracking are becoming increasingly common, and with such a large percentage of web content using WordPress as a CMS, any security vulnerabilities in WordPress’ coding or framework could affect millions of websites.

This article will explain how you can best protect your WordPress site from malware and cracking, without having deep security knowledge.

via 10 simple ways to secure your WordPress site | Feature | .net magazine.




Sep 262012

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.

“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote, claiming the hole puts “one billion users” at risk.

Gowdiak wrote that Security Explorations successfully pulled off the exploit on a fully patched Windows 7 32-bit computer in Firefox, Chrome, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit, Gowdiak told Computerworld that the flaw would be exploitable on any machine with Java 5, 6, or 7 enabled (whether it’s Windows 7 64-bit, Mac OS X, Linux, or Solaris).

MOREYet another Java flaw allows “complete” bypass of security sandbox | Ars Technica.


Sep 252012

I’m not the only one to be getting these spammy direct messages on Twitter that lead to bogus Facebook links. Apparently a lot of people have been complaining of these messages, according to Sophos analyst Graham Cluley who wrote about it on the Naked Security blog.

Different variations of the direct messages include, “your in this [link] lol” and “lol ur famous now [link]” (I got this one too).

Of course, I didn’t click on the link. However, according to Cluley, those people that do click are led to a video player that says, “An update to Youtube player is needed.” Users are asked to download what is supposedly called “FlashPlayerV10.1.57.108.exe,” but Sophos antivirus products detect it as Troj/Mdrop-EML, which is a backdoor Trojan that can copy itself to accessible drives and network shares.

A Slate reporter wrote that he clicked on the bogus link and was directed to Facebook where he was told he had to log in to access an app. It’s unclear if this link also contained some sort of virus, Trojan, or malware.

MORETwitter users may be victims of direct message malware | Security & Privacy – CNET News.