FISA GRANTS NSA

Intelligence chief declassifies FISA court approval for collection of phone data

The top U.S. spy opened the door a sliver Friday on the mass collection of telephone records, acknowledging that national intelligence agencies had sought and been granted permission to vacuum up Americans' calling data for three more months.
In a statement released quietly on Friday , the Office of the Director of National Intelligence said Director James Clapper had decided to declassify and disclose that the government made the request to the hush-hush Foreign Intelligence Surveillance Court, which approved it earlier in the day.
U.S. District Judge William Pauley upheld the constitutionality of the National Security Agency's bulk collection of millions of Americans' telephone records — what's called "telephony metadata" — in a controversial ruling in New York last week. The American Civil Liberties Union, which brought the suit challenging the program, said Thursday that it would appeal Pauley's ruling.
Pauley's ruling came just 11 days after U.S. District Judge Richard Leon said the program appeared to be unconstitutional in a ruling in Washington, D.C., that sided with two Americans who wanted their data removed from NSA records.
It's now up to appeals courts and, most likely, the U.S. Supreme Court to sort through the contradictory findings.
The intelligence statement said Friday that Clapper was officially disclosing the FISA process "in order to provide the public a more thorough and balanced understanding of the program," which has polarized Americans over how deeply the U.S. government should dig into their privacy to keep them safe.
Documents released by former NSA contractor Edward Snowden revealed that the agency has been scarfing up phone and Internet metadata — information about where and when calls are made, not the content of those calls — without a warrant since two months after the terrorist attacks of Sept. 11, 2001
The FISA court reviews the program every three months, meaning Friday's seal of approval is the 36th it has issued since May 2006, when the administration of President George W. Bush successfully persuaded the secret court that the mass collection of data was legal under the USA Patriot Act.
Friday's statement also represented a sharp reversal from March, when Clapper flatly denied in testimony to the Senate Intelligence Committee that the NSA was doing any such thing. 
After the Snowden documents emerged, however, the intelligence community came under vigorous attack from civil liberties advocates, and Clapper issued a public apology in July for having "misstated" the program's reach in his testimony.
"The Intelligence Community continues to be open to modifications to this program that would provide additional privacy and civil liberty protections while still maintaining its operational benefits," Friday's statement said.
While Clapper disclosed that the FISA court had issued the approval, the court's ruling itself wasn't made public.

Read More

NSA Server vulnerable to SMTP Spoofing, can be used for Social Engineering 

An Indian hacker known as "Godzilla" has identified a vulnerability in the NSA website that allows an attacker to send fake emails from NSA's SMTP server.

NSA's SMTP server allows anyone to use the service without verifying the IP address and password.  The most interesting part is that it allows you to use any email address(for eg: admin@nsa.gov).

This vulnerability can be exploited by an attacker for launching a Spear phishing attack. An attacker can send email to anyone inside the organization(for eg to: admin2@nsa.gov).  As it is using the NSA SMTP server, it is need not to worry about firewalls. 

In a screenshot provided to EHN, the hacker used the email id of the NSA Director "Gen Keith B Alexander"(KeithAlexander@nsa.gov) to send email to another email id. 

"sending a mail with a link attach to it. That can be a bot link. Everyone will receive the mail with .nsa.gov domain as the mail is shooted from the same network." The hacker said.

"The mail will be send with the name of Director as no one will dare to skip the mail and have to read it. After opening the mail the attacking vector will get active. After this the ball will be in the attackers court."
"SMTP is a dangerous protocol and if you dont know how to secure it, its better you shut it down."

"Stupid NSA you are lucky its 31st December and we are not in a mood to shoot are malwares in your server." Hacker said 

Read More

Security researchers at Symantec have spotted a series of Network Time Protocol (NTP) reflection DDoS attacks during the Christmas Holidays.

DDoS attacks are very simple methods of offence that could cause serious problems to targeted systems, behind the word DDoS there are numeros techniques that could be exploited by attackers to reach their goals.

Last year principal security firms observed a significant increase for the DDoSattacks, the report issued by Arbor Networks on global DDoS attack trends for the first three quarters of 2013 provides an interesting overview into Internet traffic patterns and threat evolution. The data show a constant growth in the number or attacks and related efficiency, the analysts observed a significant increase (32%) for malicious traffic, the IPv4 traffic reached  69Tbps of peak, up from 47Tbps in registered in  Q2.

In particular is has been observed an increase in the adoption of DDoS methodology known as Distributed Reflection Denial of Service attacks (DrDoS) that substantially exploits misconfigured DNS (Domain Name System) to launch powerful DDoS attacks. The abuse of DNS systems is just an option for the attacker, security researchers at Symantec have spotted a new insidious methods to conduct DDoS attacks, cyber criminals started a series of Network Time Protocol (NTP) reflection DDoS attacks during the Christmas Holidays.

In the below graph it is possible to note that on December 16th were observed nearly 15000 IP addresses involved in the Network Time Protocol (NTP) reflection DDoS attack likely belonging to a botnet.

The Network Time Protocol (NTP) is a networking protocol widely used  for clock synchronization purpose between systems over packet-switched, variable-latency data networks.

Network Time Protocol (NTP) implementations exchange timestamps using the User Datagram Protocol (UDP) on port number 123.

“NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don’t worry about it after that.  Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.”  states the Symantec post to highlight how much dangerous is to not consider the evolution of each service that is used by our systems.

Exactly as DNS Reflection attack, in the Network Time Protocol (NTP) reflection DDoS the hackers sends a small spoofed 8-byte UDP packets to the vulnerable NTP server that requests megabytes of data to be sent to the target IP Address.

CVE has already coded the Network Time Protocol vulnerability as CVE-2013-5211,the attackers exploit the monlist command for the offensives.

“Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic” reports Symantec.

[root@server ~]# ntpdc -c monlist [hostname]

To protect Network Time Protocol server it is necessary to update it to NTP 4.2.7, a version that has excluded the support of ‘monlist’ query substituted by a new safe ‘mrunlist’ function which uses a nonce value ensuring that received IP address match the actual requester.

“If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file.  This will disable access to mode 6 and 7 query packetts (which includes monlist). “

Read More

NSA reportedly building quantum computer that could crack most encryption types

The National Security Agency is reportedly racing to build a computer that will be able to break almost every kind of encryption used to protect medical, banking, business and government records around the world.

According to documents provided by NSA whistle blower Edward Snowden, a $79.7 million research program titled “Penetrating Hard Targets” includes a project to build a “cryptologically useful quantum computer” – a machine considerably faster than classic computers, The Washington Post reported Thursday

The implications of the NSA building a quantum computer are far reaching. Such a machine would open the door to cracking the strongest encryption tools in use today, including a standard known as RSA that scrambles communications and make them impossible to read for anyone except the intended recipient. RSA is commonly used in Web browsers for encrypted emails and secure financial transactions.

The development of such a machine has long been a goal of many in the scientific community, and would have revolutionary implications for fields like medicine as well as for the NSA’s code-breaking mission.

The NSA reportedly sees itself as in a race with European Union and Swiss sponsored quantum computing labs.

“The geographic scope has narrowed from a global effort to a discrete focus on the European Union and Switzerland,” one NSA document says, according to the Washington Post.

The Snowden documents also indicate that the NSA has been carrying out a part of its research in large shielded rooms designed to prevent electromagnetic energy from leaking. The rooms are required in order to keep quantum computing experiments running.

Read More

Backdoor in wireless DSL routers lets attacker reset router, get admin

A hacker has found a backdoor to wireless combination router/DSL modems that could allow an attacker to reset the router’s configuration and gain access to the administrative control panel. The attack, confirmed to work on several Linksys and Netgear DSL modems, exploits an open port accessible over the wireless local network.

The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources. Update: Vanderbeken reports some routers have the backdoor open to the Internet side as well, leaving them vulnerable to remote attack.

Eloi Vanderbeken described the backdoor in a PowerPoint posted with the code to Github. In his illustrated report, he explained how over the Christmas holiday he was trying to get access to the administrative console of his family’s Linksys WAG200G wireless DSL gateway wirelessly—mostly so he could limit how much bandwidth the others in the house were using. But Vanderbeken had previously turned off wireless access to the administration web console (and had forgotten his administrative password).

Performing a scan, he found that the router responded to messages over an unusual TCP port number: 32764. A search of the web found other Linksys and Netgear router owers had found the same service, but there was no documentation for what it did.

So Vanderbeken downloaded a copy of the Linksys firmware and commenced reverse-engineering the binary MIPS code. What he found was a simple interface that allowed him to send commands to the router without being authenticated as the administrator. On his first attempt to brute-force the interface, the router flipped its configuration back to factory settings, causing his family members to all lose Internet access at the same time.

After some additional testing, Vanderbecken found that the interface allowed him to execute a number of commands directly against the router, including a command-line shell. Using the commands he discovered, he was able to write a script that allowed him to turn wireless access to administration on and reset the web password, and published the script (with his cartoon report on the backdoor) to Github.

Read More

JPMorgan Chase admits network hack; 465,000 card users' data stolen

The banking giant suffered a network breach this year that resulted in a large data breach — though, funds or critical personal information are not thought to have been stolen.

JPMorgan Chase has warned some 465,000 prepaid cash card customers that their personal information may be at risk after unknown hackers attacked its network earlier this year.

First reported by Reuters, nearly half-a-million cards were issued for companies and businesses to pay employees and for the federal government to issue tax refunds and other welfare benefits. 

The banking giant said on Wednesday its online UCard portal had suffered a breach in mid-September, which allowed an unknown number of hackers to access vast amounts of customer prepaid cash card data.

The issue was subsequently fixed and the breach reported to the FBI and Secret Service. No funds are thought to have been stolen.

It's not yet clear how hackers were able to breach the bank's network, or what information was specifically taken. But the concern is that though card data is encrypted, personal data may have been stored in plain text files.

Social security data and birth dates are not understood to have been taken, but a "small amount" of other data may have been. The bank did not elaborate.

In a statement published by the Louisiana Commissioner of Administration Kristy Nichols, as one of the states requiring banks to notify customers of a data loss or breach: "The data exposure affects only cardholders who registered their cards on the JPMorgan UCard Center website and, between July and September 2013, performed certain actions online.

She added the government will "hold JP Morgan Chase responsible" to ensure state citizen data is protected.

The total number of those affected account for about 2 percent of its roughly 25 million UCard users.

Read More

NSA tracking cellphone locations worldwide, Snowden documents show

The National Security Agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world, according to top-secret documents and interviews with U.S. intelligence officials, enabling the agency to track the movements of individuals — and map their relationships — in ways that would have been previously unimaginable.

The records feed a vast database that stores information about the locations of at least hundreds of millions of devices, according to the officials and the documents, which were provided by former NSA contractor Edward Snowden. New projects created to analyze that data have provided the intelligence community with what amounts to a mass surveillance tool.
The NSA does not target Americans’ location data by design, but the agency acquires a substantial amount of information on the whereabouts of domestic cellphones “incidentally,” a legal term that connotes a foreseeable but not deliberate result.

One senior collection manager, speaking on the condition of anonymity but with permission from the NSA, said “we are getting vast volumes” of location data from around the world by tapping into the cables that connect mobile networks globally and that serve U.S. cellphones as well as foreign ones. Additionally, data are often collected from the tens of millions of Americans who travel abroad with their cellphones every year.

In scale, scope and potential impact on privacy, the efforts to collect and analyze location data may be unsurpassed among the NSA surveillance programs that have been disclosed since June. Analysts can find cellphones anywhere in the world, retrace their movements and expose hidden relationships among the people using them.

(Graphic: How the NSA is tracking people right now)

U.S. officials said the programs that collect and analyze location data are lawful and intended strictly to develop intelligence about foreign targets.

Robert Litt, general counsel for the Office of the Director of National Intelligence, which oversees the NSA, said “there is no element of the intelligence community that under any authority is intentionally collecting bulk cellphone location information about cellphones in the United States.”

The NSA has no reason to suspect that the movements of the overwhelming majority of cellphone users would be relevant to national security. Rather, it collects locations in bulk because its most powerful analytic tools — known collectively as CO-TRAVELER — allow it to look for unknown associates of known intelligence targets by tracking people whose movements intersect.

Still, location data, especially when aggregated over time, are widely regarded among privacy advocates as uniquely sensitive. Sophisticated mathematical tech­niques enable NSA analysts to map cellphone owners’ relationships by correlating their patterns of movement over time with thousands or millions of other phone users who cross their paths. Cellphones broadcast their locations even when they are not being used to place a call or send a text message.

Read More

Mass hack affects almost 2 million Internet accounts

Hackers stole almost 1.6 million login credentials and 320,000 e-mail credentials.

Almost 2 million accounts on Facebook, Google, Twitter, Yahoo and other social media and Internet sites have been breached, according to a Chicago-based cybersecurity firm.

The hackers stole 1.58 million website login credentials and 320,000 e-mail account credentials, among other items, the firm Trustwave reported. Included in the breaches were thefts of 318,121 passwords from Facebook, 59,549 from Yahoo, 54,437 from Google, 21,708 from Twitter and 8,490 from LinkedIn. The list also includes 7,978 from ADP, the payroll service provider. According to a Trustwave blog, "Payroll services accounts could actually have direct financial repercussions."

The hacking began Oct. 21 and might still be taking place, according to CNN.

John Miller, a security research manager at Trustwave, told CNN, "We don't have evidence they logged into these accounts, but they probably did."

There are several other servers Trustwave has not yet tracked down, Miller told CNN.

ADP, Facebook, LinkedIn and Twitter told CNN they have notified users and reset passwords for compromised accounts. Google declined to comment and Yahoo did not respond immediately, CNN reported.

The majority of passwords were from the Netherlands, followed by Thailand, Germany, Singapore, Indonesia and the United States, which accounted for 859 reports from machines and 1,943 passwords, according to Trustwave. In all, just over 100 countries were affected, and Trustwave said this shows the attack is "fairly global."

In compiling the data, Trustwave also discovered that many users are doing just what computer specialists advise against – using simplistic passwords that can easily be guessed. For instance, the top five passwords Trustwave found in researching the breaches were: 123456, 123456789, 1234, password and 12345.

According to its website, Trustwave helps businesses fight computer crime, protect data and reduce security risks.

The breaches operated through software maliciously installed on computers around the world, CNN reports Trustwave said. The virus borne from the software has been sending the stolen information over to a server in the Netherlands controlled by the hackers, according to CNN.

Trustwave researchers on Nov. 24 detected the server and found compromised credentials for about 100,000 websites.

Read More

Logins stolen from Facebook, Google, ADP payroll processor

Attackers are using the 'Pony' botnet command-and-control server software

Two million logins and passwords from services such as Facebook, Google and Twitter have been found on a Netherlands-based server, part of a large botnet using controller software nicknamed "Pony."

Another company whose users' login credentials showed up on the server was ADP, which specializes in payroll and human resources software, wrote Daniel Chechik, a security researcher with Trustwave's SpiderLabs.

It's expected that cybercriminals will go after main online services, but "payroll services accounts could actually have direct financial repercussions," he wrote.

ADP moved $1.4 trillion in fiscal 2013 within the U.S., paying one in six workers in the country, according to its website.

Facebook had the most stolen credentials, at 318,121, followed by Yahoo at 59,549 and Google at 54,437. Other companies whose login credentials showed up on the command-and-control server included LinkedIn and two Russian social networking services, VKontakte and Odnoklassniki. The botnet also stole thousands of FTP, remote desktop and secure shell account details.

It wasn't clear what kind of malware infected victims' computers and sent the information to the command-and-control server.

Trustwave found the credentials after gaining access to an administrator control panel for the botnet. The source code for the control panel software, called "Pony," was leaked at some point, Chechik wrote.

The server storing the credentials received the information from a single IP address in the Netherlands, which suggests the attackers are using a gateway or reverse proxy in between infected computers and the command-and-control server, he wrote.

"This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down -- outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," Chechik wrote.

Information on the server indicated the captured login credentials may have come from as many as 102 countries, "indicating that the attack is fairly global," he wrote.

Read More

Prototype Malware Spreads Via Audio Signals: 

The digital world has its fair share of benefits, but do be aware that there are also dangers and pitfalls to look out for as well. Computer viruses as well as malware have evolved over the years, that even the mobile platform is not spared. Well, researchers have come up with another way that would certainly prove to be a headache for network administrators everywhere – through the creation of a proof-of-concept software which will be able to spread from one machine to another using audio signals via integrated speakers and microphones. This would certainly put a dent to the notion that computers that remain isolated from a network cannot be infected by malware. I guess with this research, it would mean the reliability of the “air gap” is no longer a surefire security measure used to ensure that sensitive information remains well protected. Inaudible audio signals were transmitted in small amounts of data over covert channels, with distances touching 65 feet even. So much for a missing Internet connection being enough of a deterrent against malware. The researchers behind this proof-of-concept did warn that attackers could arm the malware with keyloggers so that sensitive information can be recorded. They shared, “The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.” Now what, an isolated computer to be placed in a sound-proof room? : 

Read More

UK man accused of hacking US government computers

A British man has been arrested and charged with hacking into computer systems of the US army, Nasa, the Environmental Protection Agency and other agencies at a cost of millions of dollars to the federal government. 

Lauri Love, 28, of Stradishall, England, and his partners stole information about government employees, including military service members, since at least October 2012 by hacking into government networks and leaving behind "back doors" through which they could return to get data, a grand jury in Newark said in an indictment. 

British authorities said on Monday that Love was also charged under a UK law that allows people to be arrested for starting attacks from the UK on computers anywhere in the world. He has been released on bail until February. Attempts to reach Love for comment on Monday weren't immediately successful. 

The US government said the purpose of the attacks was "to disrupt the operations and infrastructure" of the federal government. The New Jersey indictment does not accuse Love of selling information or doing anything else with it for financial gain. 

Love was arrested on Friday at his home about 70 miles (112 kilometers) north of London. 

He's accused of working with two co-conspirators in Australia and one in Sweden, none of whom have been charged. Their names were not disclosed in the court filing that was made public on Monday. 

The indictment includes pieces of instant message conversations that Love allegedly had with his partners. 

In one, he seems to brag about infiltrating Nasa networks: "ahaha, we owning lots of nasa sites," he said, according to the government. In another exchange, he marvels at the information the group has accessed, writing "this ... stuff is really sensitive," according to prosecutors. 

Love was charged in New Jersey because he allegedly used a server in the township of Parsippany. He also faces federal charges in Virginia for other alleged intrusions.

Read More

Backdoor in D-link router allows attackers full access

D-Link has patched a backdoor present in a number of its routers that was publicized almost two months ago and could allow an attacker to remotely access the administrative panel on the hardware, run code and make any number of changes.

The Thanksgiving patch parade addressed the issue in a number of affected routers, most of them older versions that are still in circulation and largely untouched by consumers in particular.

Customer premise equipment such as wireless routers, modems and other set-top devices pose a real security issue because patches require a firmware update that are often ignored. There’s plenty of research too that examines the risks posed not only by buggy routers, but by other home and small business networking equipment.

Using available tools and online search engines such as Shodan, attackers can easily find Internet-facing equipment that’s vulnerable, and target those boxes with any number of exploits or scripts focusing on weak or default credentials, giving someone remote access to the gear.

The D-Link issue is much more serious given the access it could afford a remote attacker. Researcher Craig Heffner reported finding the vulnerability in October; he said that an attacker using a certain string “xmlset_roodkcableoj28840ybtide” could access the Web interface of a number of different D-Link routers without credentials.

D-Link routers DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240, along with Planex routers BRL-04R, BRL-04UR and BRL-04CW also use the same firmware, Heffner said. The firmware revisions issued last Thursday are for DI-524, DI-524UP, DIR 100 and DIR-120 routers, D-Link said in its advisory.

“Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string,” the company’s original advisory said. “This backdoor allows an attacker to bypass password authentication and access the router’s administrative web interface.”

Backdoors in hardware such as networking gear are generally for remote administration purposes. Researcher Travis Goodspeed told Heffner that this backdoor is used by a particular binary in the firmware enables an administrator to use this particular string to automatically reconfigure the device’s settings.

“My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner wrote. “The only problem was that the web server required a username and password, which the end user could change.”

Read More

Vulnerability in Android 4.3 allow to remove Device lock

There is a vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable all of the security locks on a given device, leaving it open to further attacks. Jelly Bean is the most widely deployed version of Android right now.

The vulnerability in Android exists in the way that the operating system handles the flow of events when a user wants to change one of the security locks on a device. There are several different kinds of security locks on Android devices, including PIN codes, facial recognition and gesture locks. When a user wants to change one of these locks, he is asked to enter one of the other ones in order to confirm his control of the device. The vulnerability in Jelly Bean, discovered by researchers at Curesec in Germany, allows a malicious app to skip this step and disable the other security locks.

“The bug exists on the ‘com.android.settings.ChooseLockGeneric class’. This class is used to allow the user to modify the type of lock mechanism the device should have. Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin),” the advisory from Curesec says.

If a malicious app is installed on a vulnerable device, it could control the code flow that determines whether Android enables the mechanism that requires a security code in order to change one of the other security locks. A Google representative said the problem was fixed in Android Kit Kat 4.4.

“We can control the flow to reach the updatePreferencesOrFinish() method and see that IF we provide a Password Type the flow continues to updateUnlockMethodAndFinish(). Above we can see that IF the password is of type PASSWORD_QUALITY_UNSPECIFIED the code that gets executed and effectively unblocks the device. As a result any [rogue] app can at any time remove all existing locks,” the advisory says.

The researchers at Curesec said that they reported the vulnerability to the Android security team at Google on Oct. 11, received a reply the next day and then didn’t get any further feedback from Google after that. The advisory includes a short bit of proof-of-concept code which the researchers say could be used by an installed malicious app. In the comments of their blog post on the bug, the researchers explained that the permissions model in Android can be bypassed with this bug.

“The commandline shown is just a simple PoC so the problem is understood by anyone without needing to write his own application to test it. For executing actions in Android your application needs the exact permission to do this.
For instance an app wants to read SMS or use the Internet, there is a Permission for that. However due the bug you do not need any permission to remove all device locks,” the researchers said.

Read More

State Bank of Patiala hacked and defaced by Pakistani Hacker

A Pakistani hacker with the online handle " Kai-H4xOrR" from PAKISTAN HAXORS CREW(PHC), has hacked into the State Bank of Patiala(SBP) sub-domain and managed to deface the website.

In the defacement page, hacker stated that the security breach is payback "For Hacking Sui Gas Site".

"And Dont mess with Pakistan else you will lose both your Name and this Game   Backoff Lamers from our cyber space. Everybody Knows whose cyber space is more vulnerable" The defacement message reads.

"You will hack 1, we will hack thousands" hacker sent a warning message to Indian Hackers who deface Pakistani websites.   

The hacker has uploaded his defacement here: "https://hindi.sbp.co.in/index.html".  The main page and other pages are not affected by this defacement.  At the time of writing, the website still displays the defacement.

Read More

Neverquest Trojan: Built to Steal from Hundreds of Banks

Neverquest is a new banking trojan that spreads itself via social media, email and file transfer protocols. It possesses the capacity to recognize hundreds of online banking and other financial sites. When an infected user attempts to login to one of the sites the trojan reacts by activating itself and pilfering its victim’s credentials.

Neverquest then relays the stolen credentials back to a command and control server. Once there, the attackers can use the credentials to log into affected accounts via virtual network computing (VNC). VNC is essentially a shared desktop system, so the criminals basically use the victim’s computer to log into the victim’s online bank and perform the theft. It makes it quite impossible for the bank to distinguish legitimate users from criminals.

Kaspersky Lab announced earlier this week that the trojan has infected thousands of user-machines but – as malware expert Sergey Golovanov explains – it has the potential to do much more damage throughout the holiday season because of its efficient and versatile self-replication features. In fact, back in 2009, the Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet.

“When a user on an infected machine visits one of the sites on the list, the malware controls the browser’s connection with the server,” Golovanov explained in an analysis on Securelist. “Malicious users can obtain usernames and passwords entered by the user, and modify webpage content. All of the data entered by the user will be entered onto the modified webpage and transmitted to malicious users.”

Once the attacker has control of a victim’s account, he can empty it completely into an account under his control. In many cases, however, Golovanov notes that the attackers are moving the stolen money through a series of victim accounts. In this way, they dump money from one victim’s account into another and repeat this process several times before directly obtaining the money themselves in order to make their activities difficult to trace.

Neverquest is for sale on at least one underground forum. It only seems to affect users browsing with Internet Explorer and Mozilla Firefox, but Neverquest’s creators boast that it can be modified to attack “any bank in any country.”

The malware also contains a feature that searches for specific banking-related keywords while the infected user surfs the web. If a user visits a site that includes these keywords, the trojan activates itself and begins intercepting user communications and sending them back to the attackers. If the site the victim is visiting ends up being a bank, the attackers add this new site to the list of sites that automatically trigger Neverquest. This update is then sent along through Neverquest’s command and control infrastructure to all other infected machines.

Fidelity.com, the website of one of the world’s largest mutual fund investment firms, appears to be one of the trojan’s top targets according to the report.

“Its website offers clients a long list of ways to manage their finances online,” Golovanov wrote on Securelist. “This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims.”

Neverquest is also designed to start harvesting data when an infected user visits any number of sites not related to finance, including Google, Yahoo, Amazon AWS, Facebook, Twitter, Skype and many more.

“The weeks prior to the Christmas and New Year holidays are traditionally a period of high malicious user activity,” Golovanov wrote. “As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent. We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.”

He continues:

“Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that secures transactions. In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.” 
Luckily, Kaspersky Lab has such technology called Safe Money. As a part of Kaspersky Internet Security and Kaspersky PURE, it protects user’s interactiona with financial sites, paying specific attention to the security of the encrypted connection and the absence of third-party control over web browsers.

Read More

New Linux worm targets routers, cameras,  “Internet of things” devices

Researchers have discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.

Linux.Darlloz, as the worm has been dubbed, is now classified as a low-level threat, partly because its current version targets only devices that run on CPUs made by Intel, Symantec researcher Kaoru Hayashi wrote in a blog post published Wednesday. But with a minor modification, the malware could begin using variants that incorporate already available executable and linkable format (ELF) files that infect a much wider range of "Internet-of-things" devices, including those that run chips made by ARM and those that use the PPC, MIPS, and MIPSEL architectures.

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability," Hayashi explained. "If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."

The researcher went on to say the attacker behind the Intel version is also hosting ELF files that exploit the other chip architectures.

The “e_machine” value in ELF header indicates that the worm is for ARM architecture.

Symantec

Out of date

While not posing much of a real-world threat now, Darlloz demonstrates a major shortcoming with most Internet-of-things devices available today—they typically run Linux or other types of open source code that are woefully out of date. Making matters worse, many Internet-connected consumer devices can't be updated because their lightweight hardware can't handle the requirements of newer code versions. Hijacking one of these devices thus becomes much easier than exploiting, say, an up-to-date version of Windows, OS X, or Linux.

Darlloz exploits a vulnerability in the PHP scripting language that was patched 18 months ago. Devices that use older versions of PHP to provide a Web-based interface to make configuration changes may be vulnerable to the attack. With minor modifications, the worm could potentially be reprogrammed to exploit dozens of patched vulnerabilities that still haven't made their way into most consumer devices.

Readers who want to tighten the security of their routers and other devices should consider doing research ahead of purchases and buying only gear that can be updated easily. For existing devices, update to the latest available version, change default passwords, and block incoming POST requests and other types of HTTP calls if at all possible.

Read More

Turkish Hackers Hacks official Vodafone Iceland website, leaks 77,000 accounts and SMS logs

Famous Turkish hacker going with the handle of @AgentCorporatio from Turkish Agent Hacker Group has hacked and defaced the official website of telecom giant Vodafone Iceland. As a result of hack, the hacker has leaked around 77k user accounts with customers SMS logs.

The hacker who contacted me on Twitter explained that reason for targeting Vodafone was to mark his protest against USA and Israel. He also left a deface page and a message on hacked site, explained in following words:

• Agent Hacker Group! Turkish hackers says: nsa, mola vakti. Vidafone.is full download, full users account, + vodafone… to be continued.

After analyzing the leaked data I have found it legit and loaded with Vodafone customer’s user details in XLS file such as names, emails, addresses, SMS logs, and phone numbers. Other then the user data, the leak contains database, client details, tender details, accounts and financial details, franchise location maps and business markups.

A screenshot of leaked Vodafone customers SMS logs is available below: 

Read More

Hackers exploit Ruby on Rails vulnerability to compromise servers, create botnet

Hackers are actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise Web servers and create a botnet.

The Ruby on Rails development team released a security patch for the vulnerability, which is known as CVE-2013-0156, back in January. However, some server administrators haven't yet updated their Rails installations.

Ruby on Rails is a popular framework for developing Web applications based on the Ruby programming language and is used by websites including Hulu, GroupOn, GitHub and Scribd.

"It's pretty surprising that it's taken this long [for an exploit] to surface in the wild, but less surprising that people are still running vulnerable installations of Rails," said Jeff Jarmoc, a security consultant with security research firm Matasano Security, Tuesday in a blog post.

The exploit that's currently being used by attackers adds a custom cron job—a scheduled task on Linux machines—that executes a sequence of commands.

Those commands download a malicious C source file from a remote server, compile it locally and execute it. The resulting malware is a bot that connects to an IRC (Internet Relay Chat) server and joins a predefined channel where it waits for commands from the attackers.

A precompiled version of the malware is also downloaded in case the compilation procedure fails on the compromised systems.

"Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers," Jarmoc said. "There's no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands."

Reports of malicious activity using this exploit were posted in recent days on severaldiscussion boards and it also appears that some Web hosting providers were affected, Jarmoc said.

Users should update the Ruby on Rails installations on their servers to at least versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15 which contain the patch for this vulnerability. However, the best course of action is probably to update to the latest available Rails versions, depending on the branch used, since other critical vulnerabilities have been addressed since then.

Attackers are increasingly compromising Web servers to use them as part of botnets. For example, many Apache servers have recently been infected with a piece of malware called Linux/Cdorked and versions of this malware were also developed for Lighttpd and Nginx Web servers

Read More

Three Charged Over FA Computer Hacking
A referee is among three men charged over allegations of computer hacking and dissemination of private information at the FA. 

                                                                             

Referee Dean Mohareb, 30, from Woodley, Stockport, has been charged with perverting the course of justice and unauthorised access to computer data.

Liam Cliff, 18, from Manchester, and Vincent Rossi, 46, from Wilmslow, have been charged with perverting the course of justice.

The trio will appear before Stockport Magistrates Court on Thursday, December 5.

Mohareb is a senior member of the FA's Referees Department in his role as national referee development manager.

He was first arrested over allegations that he hacked into a colleague's email account in October last year. Police seized a number of electrical items from his home on that occasion.

Greater Manchester Police have been investigating allegations of computer hacking and the dissemination of private information at the FA.

Read More