Category: Warnings

Small banking institutions have to depend on third parties to keep them abreast of emerging fraud schemes and attack trends, such as DDoS. First Landmark, however, knew from its founding in 2008 that it had to outsource most of its information technology and security management, says Leigh Pharr, the bank’s senior vice president.

“We are very fortunate in that senior management here and our president are very in-tune with DDoS attacks, and we keep all of our employees well-educated on what might happen, what can happen,” Pharr says. “While we do rely on our core processor to provide us with all of the technical, online banking products, we are not satisfied that is all we need to ensure we are secure and that our accounts are protected,” Pharr says. “That’s why we have hired other third party providers [such as CSI] to come in and test our systems – try to break us. “

As the managers of online-banking platforms for the majority of small and mid-tier banking institutions throughout the U.S., core processors have a responsibility to ensure their institution customers are protected and are investing in up-to-date solutions.

Link: http://www.bankinfosecurity.com/blogs/small-banks-prepping-for-ddos-attacks-p-1449?rf=2013-04-11-eb&elq=1a992929888647e29512fd7c7911f434&elqCampaignId=6408

“As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” HostGator said in a post. “This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack,” it said.

Link: http://www.computerworld.com/s/article/9238377/Wide_scale_attack_against_WordPress_blogs_reported?source=CTWNLE_nlt_dailyam_2013-04-15

According to the Security Bulletin Advance Notification for April 2013, the first critical update is for all versions of Internet Explorer (IE), including the newest IE 10, on Windows 8 and RT. This vulnerability should be at the top of patching priority lists as it allows remote code execution through users visiting a compromised website, which is of the most popular attack methods, said Wolfgang Kandek, chief technology officer at security firm Qualys.

Andrew Storms, director of security operations at nCircle, said it is almost certain that this month’s IE patch fixes the Pwn2Own bug from CanSec West.

The second Microsoft security update is aimed at a “critical” vulnerability that affects the Windows Operating System, except the newest versions – Windows 8, Server 2012 and Windows RT for tablets. “The vulnerabilities addressed in these bulletins typically allow the attacker an escalation of privilege from a normal user to an admin-level user once they are already on the machine or can trick the user to open a specifically crafted file,” said Kandek.

Ziv Mador, director of security research at Trustwave, said it would be interesting to find out how the vulnerability in Windows Defender was discovered and disclosed.

There is also an out-of-cycle update for Java from Oracle this month.

Link: http://www.computerweekly.com/news/2240181030/Security-updates-likely-to-keep-admins-busy-this-month?utm_medium=EM&asrc=EM_ERU_21243939&utm_campaign=20130408_ERU%20Transmission%20for%2004/08/2013%20(UserUniverse:%20626713)_myka-reports@techtarget.com&utm_source=ERU&src=5119914

“Given that these are dynamically generated, there would be no viable means to do a search to ferret them out on Google, etc.,” Mary Landesman a senior security researcher for Cisco Systems’ TRAC team, told Ars.

Referring to the rogue Apache modules that are injected into infected sites, he added, “Since late 2012 people have sent me new versions of the malicious modules, so this malware is in active development, which means that it pays off well and the number of infected servers can be high (especially given the selectivity of the malware that prefers to stay under the radar rather than infecting every single visitor).”

According to recent blog posts published here and here by researchers from security firm Securi, Darkleech uses rogue Apache modules to inject malicious payloads into the webpages of the sites it infects and to maintain control of compromised systems. They note the third-party attack sites host malicious code from the Blackhole exploit kit, a suite of tools that targets vulnerabilities in Oracle’s Java, Adobe’s Flash and Reader, and a variety of other popular client software. “It looks like the attackers were beforehand well-prepared with some penetration method to gain web exploitation which were used to gain shell access and did the privilege escalation unto root,” the writer of the latter blog post wrote last week, adding that he wasn’t at liberty to discuss the precise method.

The Apache server compromise in many ways resembles a mass infection from 2008 that also used tens of thousands of sites to silently expose visitors to malware attacks. … Because the server malware is designed to conceal itself and because so many individual systems are affected, it can be next to impossible for any one person to gain a true appreciation for the scope of attack.

Link: http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

“In the last few years we have shown enough data that proves that the number and complexity of these attacks have been increasing steeply,” said Jamie Blasco, manager of the Vulnerability Research Team at open source security firm AlienVault.

“Legal firms may be the biggest target of nation states because they have so much proprietary information in their systems,” noted Tim Keanini, chief research officer at enterprise security firm nCircle.

However, last month President Obama signed an executive order giving the Secretary of Homeland Security until mid-July to extend the definition of critical infrastructure to include organizations “where a cybersecurity incident could reasonably result in catastrophic regional or national effects.” “That’s not the same as destruction, but it can have a huge impact on companies that live and breath on just-in-time inventories and the ability to connect with their customers immediately.”

Sophisticated, highly-modular malware like Flame isn’t produced by a lone hacker pulling in a few all-nighters, but almost certainly represents skills and sustained efforts of well-compensated professional programmers – or at least a big bankroll and a willingness to ply the black market for exploits. Exploits and techniques developed by state-sponsored efforts can be leaked or reverse-engineered just like any other malware, making their way into the hands of traditional cybercriminals and widely-available exploit collections like Blackhole, Phoenix, and RedKit.

Engaging hacker groups or online criminals to assist with cyber attacks could give nations a way to deny responsibility; however, it could also mean hackers and cybercriminals may have access to the state’s technical and fiscal resources.

Link: http://www.digitaltrends.com/computing/will-the-next-9-11-be-digital/

A flaw in the widely used BIND DNS (Domain Name System) software can be exploited by remote attackers to crash DNS servers and affect the operation of other programs running on the same machines. BIND versions 9.7.x, 9.8.0 up to 9.8.5b1 and 9.9.0 up to 9.9.3b1 for UNIX-like systems are vulnerable, according to a security advisory published Tuesday by the Internet Systems Consortium (ISC), a nonprofit corporation that develops and maintains the software.

The vulnerability can be exploited by sending specifically crafted requests to vulnerable installations of BIND that would cause the DNS server process—the name daemon, known as “named”—to consume excessive memory resources.

“However, at the time of this advisory, BIND 10 is not ‘feature complete,’ and depending on your deployment needs, may not be a suitable replacement for BIND 9.” 

“It took me approximately ten minutes of work to go from reading the ISC advisory for the first time to developing a working exploit,” a user named Daniel Franke said in a message sent to the Full Disclosure security mailing list on Wednesday. Franke is not the only one possible, and that operators of *ANY* recursive *OR* authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue,” Wright said. … Franke’s comment, which is that the required complexity of the exploit for this vulnerability is not high, and immediate action is recommended to ensure your nameservers are not at risk.”

This bug could be a serious threat considering the widespread use of BIND 9, according to Dan Holden, director of the security engineering and response team at DDoS mitigation vendor Arbor Networks.

…Several security companies said earlier this week that a recent distributed denial-of-service (DDoS) attack targeting an anti-spam organization was the largest in history and affected critical Internet infrastructure.

“If operators are relying on inline detection and mitigation, very few security research organizations are proactive about developing their own proof-of-concept code on which to base a mitigation upon,” Holden said.

Link: http://www.computerworld.com/s/article/print/9238002/Critical_denial_of_service_flaw_in_BIND_software_puts_DNS_servers_at_risk?taxonomyName=Malware+and+Vulnerabilities&taxonomyId=85