risk assessment – Tech Today w/ Ken May

Vast majority of malware attacks spawned from legit sites

Google The vast majority of sites that push malware on their visitors are legitimate online services that have been hacked as opposed to those hosted by attackers for the purposes of distributing malicious software, Google security researchers said Tuesday. The data, included for the first time as part of the safe browsing section of Google’s regular transparency report, further challenges the myth that malware attacks happen only on disreputable sites, such as those that peddle porn, illicit software (“warez”), and similar content. For instance, on June 9 only 3,891 of the sites Google blocked as part of its Safe Browsing program were dedicated malware sites, while the remaining 39,247 sites that were filtered offered legitimate services that had been compromised. In all, Google blocks about 10,000 sites per day as part of the program, which is designed to help people using Firefox, Chrome, and other participating browsers to steer clear of phishing scams and drive-by malware attacks. The program is also designed to inform webmasters of infections hitting their site and to take steps to fix the problems. In all, the Safe Browsing program helps protect about 1 billion people per day. Read 2 remaining paragraphs | Comments

View article:
Vast majority of malware attacks spawned from legit sites

How hackers allegedly stole “unlimited” amounts of cash from banks in just hours

Wikipedia Federal authorities have accused eight men of participating in 21st-Century Bank heists that netted a whopping $45 million by hacking into payment systems and eliminating withdrawal limits placed on prepaid debit cards. The eight men formed the New York-based cell of an international crime ring that organized and executed the hacks and then used fraudulent payment cards in dozens of countries to withdraw the loot from automated teller machines, federal prosecutors alleged in court papers unsealed Thursday. In a matter of hours on two separate occasions, the eight defendants and their confederates withdrew about $2.8 million from New York City ATMs alone. At the same times, “cashing crews” in cities in at least 26 countries withdrew more than $40 million in a similar fashion. Prosecutors have labeled this type of heist an “unlimited operation” because it systematically removes the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that process online payments for prepaid MasterCard debit card accounts issued by two banks—the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman—according to an indictment filed in federal court in the Eastern District of New York. Prosecutors didn’t identify the payment processors except to say one was in India and the other in the United States. Read 3 remaining paragraphs | Comments

Taken from:
How hackers allegedly stole “unlimited” amounts of cash from banks in just hours

Defense contractor pwned for years by Chinese hackers

QinetiQ , a UK-based defense contractor, has its fingers all over some of the US Defense Department’s most sensitive systems. The company’s subsidiaries provide robots, diagnostic systems, intelligence systems for satellites, drones, and even “cyber-security” to the US Department of Defense. The parent company, which was created as a privatized spinoff of the British Defense Evaluation and Research Agency—what was the UK’s equivalent of the US Defense Advanced Research Projects Agency—is often cited as the inspiration for James Bond’s “Q.” But for at least three years, QinetiQ was apparently unintentionally supplying its expertise to another customer: China. In multiple operations, hackers tied to the People’s Liberation Army have had the run of QinetiQ’s networks, stealing sensitive data from them and even using them to launch attacks on the systems of government agencies and other defense contractors. E mails uncovered by the hack of security firm HBGary revealed that Chinese hackers had the run of the company’s networks starting in 2007. Bloomberg’s Michael Riley and Ben Elgin report that in one effort that lasted for over three years, “Comment Crew”—the group tied to the recent hacking of the New York Times and other news organizations, plus a host of attacks on other defense contractors and technology businesses—managed to gain access to “most if not all of the company’s research.” The company was notified on multiple occasions by government agencies of ongoing breaches, starting with a report from the Naval Criminal Investigative Service in December of 2007 that “a large quantity of sensitive information” was being stolen from two computers at the company’s US subsidiary, QinetiQ North America (QNA). A month later, NASA informed QNA that one of the company’s computers was being used in a cyberattack on its network. Read 1 remaining paragraphs | Comments

More:
Defense contractor pwned for years by Chinese hackers

Microsoft rolls out standards-compliant two-factor authentication

Microsoft today announced that it is rolling out optional two-factor authentication to the 700 million or so Microsoft Account users, confirming last week’s rumors . The scheme will become available to all users “in the next few days.” It works essentially identically to existing schemes already available for Google accounts. Two-factor authentication augments a password with a one-time code that’s delivered either by text message or generated in an authentication app. Computers that you trust will be allowed to skip the two factors and just use a password, and application-specific passwords can be generated for interoperating with software that doesn’t support two-factor authentication. Read 1 remaining paragraphs | Comments

Read this article:
Microsoft rolls out standards-compliant two-factor authentication

“Syrian Electronic Army” hacks NPR publishing system, edits articles

NPR’s Web publishing system and several of the news agency’s Twitter accounts were hacked yesterday by a group supportive of the Syrian government that calls itself the “Syrian Electronic Army.” “Late Monday evening, several stories on the NPR website were defaced with headlines and text that said ‘Syrian Electronic Army Was Here,'” an NPR statement published in a NPR.org news story on the incident said. “Some of these stories were distributed to and appeared on NPR Member Station websites. We have made the necessary corrections to those stories on NPR.org and are continuing to work with our Member Stations. Similar statements were posted on several NPR Twitter accounts. Those Twitter accounts have been addressed. We are closely monitoring the situation.” Sophos’s Naked Security blog published a summary of the hack , including a screenshot of a Google search showing some of the headlines edited by the Syrian Electronic Army: Read 3 remaining paragraphs | Comments

Continue reading here:
“Syrian Electronic Army” hacks NPR publishing system, edits articles

Huge attack on WordPress sites could spawn never-before-seen super botnet

CloudFlare Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application. The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today. That’s because the servers have bandwidth connections that that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses. “These larger machines can cause much more damage in DDoS [distributed denial-of-service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” Matthew Prince, CEO of content delivery network CloudFlare, wrote in a blog post describing the attacks. Read 10 remaining paragraphs | Comments

See the original article here:
Huge attack on WordPress sites could spawn never-before-seen super botnet

How whitehats stopped the DDoS attack that knocked Spamhaus offline

Unlike Unicast-based networks, Anycast systems use dozens of individual data centers to dilute the effects of distributed denial-of-service attacks. CloudFlare As an international organization that disrupts spam operators, the Spamhaus Project has made its share of enemies. Many of those enemies possess the Internet equivalent of millions of water cannons that can be turned on in an instant to flood targets with more traffic than they can possibly stand. On Tuesday, Spamhaus came under a torrential deluge—75 gigabits of junk data every second—making it impossible for anyone to access the group’s website (the real-time blacklists that ISPs use to filter billions of spam messages were never effected). Spamhaus quickly turned to CloudFlare, a company that secures websites and helps mitigate the effects of distributed denial-of-service attacks. This is a story about how the attackers were able to flood a single site with so much traffic, and the way CloudFlare blocked it using a routing methodology known as Anycast. Read 8 remaining paragraphs | Comments

View article:
How whitehats stopped the DDoS attack that knocked Spamhaus offline

One day after iOS 6.1.3, a new iPhone lock screen bug emerges

Just a day after Apple released iOS 6.1.3 , a new lock screen bug has been discovered that could give an attacker access to private information. The vulnerability is different from the passcode bug(s) addressed by Tuesday’s iOS update, but the end result is similar: access to iPhone’s contact list and photos. The new lock screen bug was first documented by YouTube user videosdebarraquito , who posted a video demoing the procedure. The basic gist, seen in the video below, is to eject the iPhone’s SIM card while using the built-in voice controls to make a phone call. Bypassing the iPhone passcode lock on iOS 6.1.3. There are a couple important things to keep in mind, though. For one, it seems like this bug applies to most modern iPhones, though apparently the procedure isn’t as easy as it looks. The YouTube video above shows the hack being executed on an iPhone 4, and iphoneincanada was able to replicate it on an iPhone 4. TheNextWeb was able to replicate it on an iPhone 4S but not an iPhone 5. But the iPhone 5 didn’t get away scot free, as German language site iPhoneblog.de appears to have been able to replicate the bug on that version of the phone. We have not yet seen a confirmed case of the bug existing on the iPhone 3GS, though it’s probably safe to assume that it does. Read 1 remaining paragraphs | Comments

Excerpt from:
One day after iOS 6.1.3, a new iPhone lock screen bug emerges

Cisco switches to weaker hashing scheme, passwords cracked wide open

Password cracking experts have reversed a secret cryptographic formula recently added to Cisco devices. Ironically, the encryption type 4 algorithm leaves users considerably more susceptible to password cracking than an older alternative, even though the new routine was intended to enhance protections already in place. It turns out that Cisco’s new method for converting passwords into one-way hashes uses a single iteration of the SHA256 function with no cryptographic salt. The revelation came as a shock to many security experts because the technique requires little time and computing resources. As a result, relatively inexpensive computers used by crackers can try a dizzying number of guesses when attempting to guess the corresponding plain-text password. For instance, a system outfitted with two AMD Radeon 6990 graphics cards that run a soon-to-be-released version of the Hashcat password cracking program can cycle through more than 2.8 billion candidate passwords each second. By contrast, the type 5 algorithm the new scheme was intended to replace used 1,000 iterations of the MD5 hash function. The large number of repetitions forces cracking programs to work more slowly and makes the process more costly to attackers. Even more important, the older function added randomly generated cryptographic “salt” to each password, preventing crackers from tackling large numbers of hashes at once. Read 7 remaining paragraphs | Comments

Continue reading here:
Cisco switches to weaker hashing scheme, passwords cracked wide open

Dating site Zoosk resets some user accounts following password dump (Updated)

A screenshot from Jeremi Gosney showing passwords cracked by the ocl-Hashcat-plus program. Jeremi Gosney Zoosk.com, an online dating service with about 15 million unique visitors each month, is requiring some users to reset their passwords. The move comes after someone published a list cryptographically protected passcodes that may have been used by subscribers to the website. In the past, the San Francisco-based company has said it has more than 50 million users . With this dump, a small but statistically significant percentage of the 29-million-strong password list contained the word “zoosk,” an indication that at least some of the credentials may have originated with the dating site. Jeremi Gosney, a password expert at Stricture Consulting Group , said he cracked more than 90 percent of the passwords and found almost 3,000 had links to Zoosk. The cracked passcodes included phrases such as “logmein2zoosk,” “zoosk password,” “myzooskpass,” “@zoosk,” “zoosk4me,” “ilovezoosk,” “flirtzoosk,” “zooskmail.” Other passwords contained strings such as “flirt,” “lookingforlove,” “lookingforguys,” and “lookingforsex,” another indication that they were used to access accounts at one or more dating websites. Many users choose passwords containing names, phrases, or topics related to the specific website or generic type of service they’re used to access. In December, Ars profiled a 25-GPU cluster system Gosney built that’s capable of trying every possible Windows passcode in the typical enterprise in less than six hours. . Read 6 remaining paragraphs | Comments

Originally posted here:
Dating site Zoosk resets some user accounts following password dump (Updated)