March 2007 - Posts
TJX Intruder had retailer's encryption key
http://www.eweek.com/article2/0,1895,2109299,00.asp
QUOTE: The massive data breach at $16 billion retailer TJX involved someone apparently armed with the chain's encryption key, but it might not have been needed as the cyber-thief was accessing data during the card-approval process before it was encrypted.
These are among the latest details in what is almost certainly the worst retail data breach ever. In a 10-K filing to the federal SEC (Securities & Exchange Commission), TJX said it didn't know who the intruders were, but it did provide more details about what they say happened that led to the card information of some 46 million consumers to get into unauthorized hands.
Additional Links
http://www.eweek.com/article2/0,1895,2106322,00.asp
http://www.eweek.com/article2/0,1895,2104200,00.asp
Some tech writers speculate this might be a practical joke or it could also be a legitimate campaign. If this becomes a legitimate attack, all MySpace users should track developments carefully during April 2007.
Up next: Month of MySpace bugs
http://blogs.zdnet.com/security/?p=127
QUOTE: The month-of-bugs phenomenon is showing no signs of slowing down. Next up: MySpace. During the month of April, hackers plan to expose security vulnerabilities in the popular social networking portal. The idea behind the planned Month of MySpace Bugs, according to the organizers, is to publish "silly XSS/misleading CSS style bugs" that affect MySpace user pages.
Kim Komando: Prepare now for MySpace bugs
http://www.komando.com/tips/index.aspx?id=3097
QUOTE: How secure is MySpace? It appears as if we are about to find out! The "month of bugs" trend continues with the recently announced MOMBY (Month of MySpace Bugs, Yuss!). Scheduled for April, MOMBY follows similar projects such as the Month of Apple Bugs.
MOMBY: a place for bugs (Official Tracking Site)
http://momby.livejournal.com/
QUOTE: The purpose of the exercise is not so much to expose Myspace as a hive of spam and villainy (since everyone knows that already), but to highlight the monoculture-style danger of extremely popular websites populated by users of various levels of sophistication. We could have just as easily gone after Google or Yahoo or MSN or ZDNet or whatever.
Month of MySpace Bugs: April Fools?
http://news.com.com/2061-10789_3-6168655.html
QUOTE: It appears that the effort is meant mostly to poke fun at the previous "Month of" campaigns that focused on browser, Apple and kernel bugs. "Months of Bugs are whiny, attention-seeking ploys for acceptance," "Mondo Armando" and "Mustaschio" wrote. Oh, when is the MySpace campaign starting? "Were you not paying attention? April 1, 2007
There is limited information from AV vendors currently, but several excellent write-up on the threat itself is noted below. The SSL/Winsocks interface used by the trojan would make even trusted server connections unsafe for infected users. Users should be careful in all apsects of Internet access (e.g., email, IM, websites, etc).
CERT: Gozi Trojan Targets Microsoft Internet Explorer Vulnerabilities
http://www.us-cert.gov/current/current_activity.html#gozi
QUOTE: The Trojan is reportedly spread via IE browser exploits and has primarily targeted infected home computers. While new and sophisticated exploits can be difficult to defend against, US-CERT encourages users to take the following preventative measures to help mitigate browser-based security risks:
- Install anti-virus software, and keep its virus signature files up-to-date.
- Review the Securing Your Web Browser document.
Secure Works - Excellent In-Depth Analysis
http://www.secureworks.com/research/threats/gozi/?threat=gozi
QUOTE: A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.
- Steals SSL data using advanced Winsock2 functionality
- State-of-the-art, modularized trojan code
- Spread through IE browser exploits
- Undetected for weeks, months by many AV vendors
- Customized server/database code to collect sensitive data
- Customer interface for on-line purchases of stolen data
- Accounts compromised by stealing data primarily from infected home PCs
- Accounts at top financial, retail, health care, and government services affected
- Data's black market value at least $2 million
Additonal Articles:
ISC: Gozi Trojan Steals SSL Encrypted Data for Fun and Profit
http://isc.sans.org/diary.html?storyid=2498
Russian (Gozi) Trojan powering massive ID-theft ring
http://blogs.zdnet.com/security/?p=133
Gozi Trojan Data Up For Sale Using Webmoney
http://digitalmoneyworld.com/gozi-trojan-data-up-for-sale-using-webmoney/
Google Links
http://www.google.com/search?hl=en&q=gozi+trojan
Home
http://www.antispywarecoalition.org/
Documents (Best Practices)
http://www.antispywarecoalition.org/documents/index.htm
FAQ
http://www.antispywarecoalition.org/about/FAQ.html
Members
http://www.antispywarecoalition.org/about/index.htm
CURRENT MEMBER LIST
Current ASC Members
Aluria Software , an Earthlink company
AhnLab
AOL
Berkman Center for Internet & Society, Harvard Law School
Bit9
Blue Coat Systems
Canadian Coalition Against Unsolicited Commercial Email
US Coalition Against Unsolicited Commercial Email
Canadian Internet Policy and Public Interest Clinic
Center for Democracy & Technology
CNET Networks
Computer Associates
Dell, Inc.
Eset
F-Secure Corporation
Google
Grisoft
HP
ICSA Labs
Internet Education Foundation
ISS
Lavasoft
McAfee Inc.
Mi5 Networks
Microsoft
National Center for Victims of Crime
National Cyber Security Alliance
National Network to End Domestic Violence
Panda Software
PC Tools
Radialpoint
Safer-Networking Ltd.
Samuelson Law, Technology & Public Policy Clinic at Boalt Hall,
UC Berkeley School of Law
Sana Security
Shavlik Technologies
Sophos
Spamhaus
Sunbelt Software
SurfControl
Symantec
Tenebril
Trend Micro
Webroot Software
Websense
Yahoo! Inc.
In the "what will they think of" next column ... March 24th (Saturday) is supposed to be a day without computers 
National Computer Shutdown Day - March 24th
http://www.eweek.com/article2/0,1759,2105644,00.asp
QUOTE: Tach it up, tach it up, buddy gonna shut you down," crooned the Kitty, Beach Boys-like, when he heard that March 24 has been designated Shutdown Day 2007 by the folks at shutdownday.org. The global experiment hopes to see if people can function without their computers for one day. "Of course, it has to be a Saturday—why couldn't it be a work day?" laughed the lazy Lynx.
Cisco phone users should apply the relevant patches if needed to prevent DoS based lockouts of service. So far, there are no known exploits of this in the wild. This one was of interest as I use a 7961 at work.
Cisco IP Phone 7940/7960 Denial of Service Vulnerability
http://secunia.com/advisories/24600/
http://www.frsirt.com/english/advisories/2007/1023
QUOTE: A vulnerability has been reported in Cisco IP Phone 7940 and 7960, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of certain SIP INVITE messages. This can be exploited to reboot the device by sending a specially crafted INVITE message with a malformed "sipURI" field of the Remote-Party-ID. The vulnerability is reported in devices running firmware POS3-07-4-00.
Users should ensure they are on the latest version of Quicktime and always be careful with email, IMs, and websites.
New QuickTime exploit hits MySpace, steals passwords
http://www.f-secure.com/weblog/archives/archive-032007.html#00001144
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9013702
QUOTE: March 19, 2007 (Computerworld) -- A Trojan horse exploiting a flaw in Apple Inc.'s QuickTime that was patched two weeks ago is infecting MySpace.com users' computers, collecting confidential information, including passwords, several security companies said today. The attack is reminiscent of one late last year that plagued MySpace users and forced the popular social networking site to shut down hundreds of profiles.
The use of rootkits continues to be grow, so that detection and removal are more difficult.
VideoCach - New Adware agent uses Rootkit Techniques
http://www.pandasoftware.com/about/press/viewNews.htm?noticia=8337
http://www.pandasoftware.com/com/virus_info/encyclopedia/overview.aspx?idvirus=153672
QUOTE: PandaLabs has detected the appearance of VideoCach, a new adware specimen. This malicious code is designed to fraudulently promote certain security applications. This adware includes the novelty of using rootkit techniques. Rootkits are programs designed to hide files or processes running on a computer. This makes malicious code that use rootkit techniques more difficult to detect.
Secunia has a created a test page for this new vulnerability that could be used in possible phishing attacks. This new vulnerability requires users to hit the REFRESH button when navigation is cancelled to cross script to another site.
Internet Explorer 7 Cross-Site Scripting Vulnerability
http://secunia.com/advisories/24535/
http://www.frsirt.com/english/advisories/2007/0946
QUOTE: A weakness has been identified in Microsoft Internet Explorer 7, which could be exploited by malicious websites to conduct spoofing or phishing attacks. This issue is due to an input validation error in the resource page "res://ieframe.dll/navcancl.htm" when generating the "Refresh the page" link in order to reload a site, which could be exploited by attackers to spoof the displayed address bar by tricking a user into clicking on the "Refresh the page" link while visiting a malicious web page.
This new trojan horse attack has interesting visual features when users become infected.
JS/Shake - Creates an earthquake effect for Internet Explorer
http://vil.mcafeesecurity.com/vil/content/v_124353.htm
QUOTE: JS/Shake is a trojan which invokes your Internet browser and shakes the browser window side to side for a few seconds and then stops. It will then connect to a Russian website which contains adverts and popups.
More Posts
Next page »