Hackers exploit Ruby on Rails vulnerability to compromise servers, create botnet

Hackers are actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise Web servers and create a botnet.

The Ruby on Rails development team released a security patch for the vulnerability, which is known as CVE-2013-0156, back in January. However, some server administrators haven't yet updated their Rails installations.

Ruby on Rails is a popular framework for developing Web applications based on the Ruby programming language and is used by websites including Hulu, GroupOn, GitHub and Scribd.

"It's pretty surprising that it's taken this long [for an exploit] to surface in the wild, but less surprising that people are still running vulnerable installations of Rails," said Jeff Jarmoc, a security consultant with security research firm Matasano Security, Tuesday in a blog post.

The exploit that's currently being used by attackers adds a custom cron job—a scheduled task on Linux machines—that executes a sequence of commands.

Those commands download a malicious C source file from a remote server, compile it locally and execute it. The resulting malware is a bot that connects to an IRC (Internet Relay Chat) server and joins a predefined channel where it waits for commands from the attackers.

A precompiled version of the malware is also downloaded in case the compilation procedure fails on the compromised systems.

"Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers," Jarmoc said. "There's no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands."

Reports of malicious activity using this exploit were posted in recent days on severaldiscussion boards and it also appears that some Web hosting providers were affected, Jarmoc said.

Users should update the Ruby on Rails installations on their servers to at least versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15 which contain the patch for this vulnerability. However, the best course of action is probably to update to the latest available Rails versions, depending on the branch used, since other critical vulnerabilities have been addressed since then.

Attackers are increasingly compromising Web servers to use them as part of botnets. For example, many Apache servers have recently been infected with a piece of malware called Linux/Cdorked and versions of this malware were also developed for Lighttpd and Nginx Web servers

Read More

Three Charged Over FA Computer Hacking
A referee is among three men charged over allegations of computer hacking and dissemination of private information at the FA. 

                                                                             

Referee Dean Mohareb, 30, from Woodley, Stockport, has been charged with perverting the course of justice and unauthorised access to computer data.

Liam Cliff, 18, from Manchester, and Vincent Rossi, 46, from Wilmslow, have been charged with perverting the course of justice.

The trio will appear before Stockport Magistrates Court on Thursday, December 5.

Mohareb is a senior member of the FA's Referees Department in his role as national referee development manager.

He was first arrested over allegations that he hacked into a colleague's email account in October last year. Police seized a number of electrical items from his home on that occasion.

Greater Manchester Police have been investigating allegations of computer hacking and the dissemination of private information at the FA.

Read More

Two Singaporeans arrested for hacking president's website

       

 Two Singaporean men have been arrested for allegedly defacing the president's website during a recent rash of cyber attacks in the city-state, police said today. 

The men, aged 17 and 42, were arrested following a complaint lodged by the website administrators of the Istana, the official residence of President Tony Tan. 

The website was hacked and displayed a crude image in the early hours of November 8, about an hour after Prime Minister Lee Hsien Loong's website displayed mocking messages and pictures from activist hackers' group Anonymous. 

Police said the two attacks are unrelated to each other. 

The suspects in the Istana website hacking will be charged in court tomorrow for offences under the city-state's Computer Misuse and Cybersecurity Act. 

They face a maximum fine of USD 8,000 or imprisonment of up to three years, or both. 

Police did not reveal the identity of the two suspects, but Singaporean businessman Doolson Moo last week revealed to the Straits Times newspaper that he was the one who penetrated the Istana website to "test for vulnerabilities". 

The 42-year-old said he entered a line of computer code into the search box on the website that allowed him to display a picture of an old woman pointing her middle finger, along with a string of offensive words in the southern Chinese dialect of Hokkien. 

He told the newspaper that his accomplice was a 17-year-old student he knew through social networking site Facebook. 

The arrests today come after another Singaporean, 35-year-old James Raj, was charged in court on November 12 with hacking a municipal council's website and posting an image of a Guy Fawkes mask, the international symbol of Anonymous. 

The council is located in a district represented by the prime minister. 

A man claiming to speak for Anonymous has demanded that Singapore scrap a law requiring news websites to obtain annual licences. 

The new Internet licensing rules came into force in June and have angered bloggers and activists who say they are designed to muzzle free expression. 

Singapore strictly regulates the traditional media, but insists the new licensing rules do not impinge on Internet freedom. 

Read More

Phone-hacking trial shown Glenn Mulcaire's investigation whiteboards

Glenn Mulcaire's private investigation wall featuring diagrams, lists of telephone numbers, taskings and names of people including Rebekah Wade and tennis player Venus Williams was shown to the jury at the hacking trial on Thursday.

The jury were shown five large and small whiteboards seized from the premises used by Mulcaire when he was arrested on phone-hacking related charges in 2006.

The largest of the whiteboards shown to the jury had the letters "s" "o" "e" in the middle of a clock-style diagram with the words "mice, money, ideology, compromise, ego, binology" written in "spokes" leading from the centre. The board also featured the words "Gordon, sop, Rayner, Sky"

The first whiteboard featured the word "Swizz Cottage", which detective sergeant James Guest told the jury was "Vodafone's password of the week" followed by the words O2 and Venus Williams.

Several of the boards featured a clock-like diagram, the jury was told by Guest. One had the word "services" in the centre with the words "Charles Rae meeting", a reference to the Sun's former royal editor, and the name "Rebekah Wade" (Rebekah Brooks's maiden name) at 1pm.

Mulcaire had also used the boards as an aide memoire. "Voda: Avoid Damian Team 3", he wrote on the third one shown to the jury.

One board listed footballers David Ginola and Tony Adams, and the words "Bulger Info". On Wednesday the jury were told that Mulcaire, who was paid around £100,000 a year by the News of the World, had been paid £13,500 in relation to inquiries about toddler James Bulger's killers in 2001, the year they were released on licence.

The whiteboards kept by Mulcaire were in addition to the 8,000 pages of notes and the audio recordings of voicemails recovered by police in his home.

Mulcaire, who was convicted of phone-hacking related charges in 2006, has pleaded guilty to another batch of related offences in relation to the 2013 trial.

Read More

College Student Sentenced for stealing passwords to rig Campus Election 

Matthew Weaver, a former Cal State San Marcos student was sentenced one year of prison for stealing almost 750 students password and using 630 of those accounts to cast the ballots.

22 years old Mr. Weaver was a third year business student when he planned to win election as president of the school's student council.

A month before the election Weaver bought three keyloggers.Authorities reports that Weaver installed keyloggers on 19 school computers to steal the passwords.

It has also been reported that he had done a bit of research with computer queries such as “how to rig an election” and “jail time for keylogger.” (utsandiego news reports)

According to a report, Weaver had planned the plot in early 2012. Authorities have found a PowerPoint presentation on his computer about the stipends for the president.

The plot unveiled when in March 2012, the last day of the four voting period, when computer analysts found anomalous activity on one of the college lab computers and they also received an email from a student complaining that the system didn't allow her to vote.

It was then that the technicians called campus police, who found Weaver at the school computer. He had keyloggers with him and was arrested.

After getting caught, Weaver with one of his friend created fake facebook ids for different students and indirectly mentioned a plot against him.
“He’s on fire for this crime, and then he pours gasoline on it to try to cover it up,” the judge reportedly said during Monday’s sentencing hearing.

The school held another election and cleaned security breach at a cost of more than $40,000, which the schools want back.

Meanwhile Mr. Weaver pleaded guilty to three federal charges, including wire fraud and unauthorized access to a computer and is under one year prison sentence.

Read More

Hackers convince bank to send $15000 wire transfer with the help of Hacked Gmail account

It is time to enable the Google two-step authentication feature.  If the website is providing you additional security feature, it is always good to use that feature.  This news will help you to understand the risk of ignoring the additional security feature.

Cybercriminals hacked the Gmail account of a Dubai based Indian expatriate Anil Abraham and used the account to convince bank to transfer $15,000 from his bank account in India.

When Anil contacted the Bank, he was told by the Branch Manager that the Money was transferred at his request only via email.  The cybercriminals are reportedly send a signed document with the email to trick the Bank into transfer the money.

According to Emirates247 report, the money was transferred to someone named Garry Albert Frazer to Westpac bank account in New Zealand.

Anil said whoever hacked into his email id had managed to steal fianancial information and managed to use those info to write email to Bank with forged signature.

I'm still wondering how bank allowed the cyber criminal to steal the money, they usually don't allow us to transfer money via email accounts without any personal verification.  As far as i know, Bank always careful when it comes to big amount of transfer - $15,000(nearly 90,0000 Rupees).

Though it is mistake of Bank, It is always good to enable security feature on your side.  Don't wait until your account get hacked, Enable the Two-step authentication : http://www.google.com/landing/2step/

Read More

How a  bitcoin  transaction  works

The basics for a new user

As a new user, you can get started with Bitcoin without understanding the technical details. Once you have installed a Bitcoin wallet on your computer or mobile phone, it will generate your first Bitcoin address and you can create more whenever you need one. You can disclose your addresses to your friends so that they can pay you or vice versa. In fact, this is pretty similar to how email works, except that Bitcoin addresses should only be used once.

Balances - block chain

The block chain is a shared public ledger on which the entire Bitcoin network relies. All confirmed transactions are included in the block chain. This way, Bitcoin wallets can calculate their spendable balance and new transactions can be verified to be spending bitcoins that are actually owned by the spender. The integrity and the chronological order of the block chain are enforced with cryptography.

Transactions - private keys

A transaction is a transfer of value between Bitcoin wallets that gets included in the block chain. Bitcoin wallets keep a secret piece of data called a private key or seed, which is used to sign transactions, providing a mathematical proof that they have come from the owner of the wallet. The signature also prevents the transaction from being altered by anybody once it has been issued. All transactions are broadcast between users and usually begin to be confirmed by the network in the following 10 minutes, through a process called mining.

Processing - mining

Mining is a distributed consensus system that is used to confirm waiting transactions by including them in the block chain. It enforces a chronological order in the block chain, protects the neutrality of the network, and allows different computers to agree on the state of the system. To be confirmed, transactions must be packed in a block that fits very strict cryptographic rules that will be verified by the network. These rules prevent previous blocks from being modified because doing so would invalidate all following blocks. Mining also creates the equivalent of a competitive lottery that prevents any individual from easily adding new blocks consecutively in the block chain. This way, no individuals can control what is included in the block chain or replace parts of the block chain to roll back their own spends.

Read More