June 17, 2013

You are here: Home / Archives for Ethical Hacker

Microsoft disrupts half billion dollar Citadel botnet

June 7, 2013 by

typing on keyboard-300px(LiveHacking.Com) – Microsoft’s Digital Crimes Unit, together with the the FBI and several different financial services companies, has disrupted more than 1,400 Citadel botnets that were responsible for over half a billion dollars in losses to individuals and businesses worldwide.

The massive cybercrime operation was responsible for stealing people’s online banking information and personal identities. Citadel used a remotely installed keylogging program to steal data from about five million machines. Money was then stolen as the criminals used the usernames and passwords to illegally enter online bank accounts. No particular bank was targeted and cash from taken from well known institutions including American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo.

Microsoft outlined how Citadel used PCs bundled with pirated versions of Windows to pre-infect PC. “We also found that cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats,” said Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

To avoid detection Citadel blocked victims’ access to many legitimate anti-virus/anti-malware sites which meant that they could not easily remove the threat from their PC. As part of the disruptive action Microsoft has restored access to these previously blocked sites.

Filed Under: Botnet, Microsoft, News Tagged With: , ,

Apple updates OS X and Safari to fix critical security issues

June 5, 2013 by

(LiveHacking.Com) – Apple has released updates for Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3 to fix a range of Apple-logoCritical security vulnerabilities including a fix for an error that could allow a remote attacker to execute arbitrary code with system privileges on Macs with Directory Service enabled. At the same time Apple has also released Safari 6.0.5. The new release of the web browser, which is also included in OS X Mountain Lion v10.8.4, fixes a range of WebKit errors many of which have been previously fixed in Google Chrome.

Mac OS X

Several different security related bugs gave been fixed in OS X. Among them was an unbounded stack allocation issue that existed in the handling of text glyphs. It could be exploited by visiting a maliciously crafted site and may lead to an unexpected application termination or arbitrary code execution. The Directory Services vulnerability only applies to OS X 10.6. A remote attacker could execute arbitrary code with system privileges on Macs with Directory Service enabled due to an error with the way the directory server handled certain messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges.

There were also several fixes for OpenSSL. There are known attacks on the confidentiality of TLS 1.0 when compression was enabled. To address this Apple has disabled compression in OpenSSL. Also OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key.

Other fixes include:

  • An attacker with access to a user’s session may be able to log into previously accessed sites, even if Private Browsing was used
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • A local user in the lpadmin group may be able to read or write arbitrary files with system privileges
  • A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.
  • Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution
  • Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution

Also Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18.

It is worth noting that starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with
a Developer ID certificate.

Safari

All the fixes in the new release of Safari are related to WebKit as follows:

  • Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking.
  • A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content.
  • XSS Auditor may rewrite URLs to prevent cross-site scripting attacks. This may lead to a malicious alteration of the behavior of a form submission. This issue was addressed through improved validation of URLs.

More information about the security content of Safari 6.0.5 can be found here.

Filed Under: Apple, News, Vulnerability Tagged With: , ,

Sky hacked by the Syrian Electronic Army

May 28, 2013 by

logos of sky android apps(LiveHacking.Com) – Several apps belonging to British Sky Broadcasting (Sky) have been removed from Google’s official Android app store following an attack on Sky by the Syrian Electronic Army. The SEA also hacked into one of Sky’s Twitter accounts where it urged readers to download the new defaced apps. The SEA aligns itself with Syrian President Bashar al-Assad, but denies they operate under the orders of his government.

As part of the hack six of Sky’s Android apps where defaced by having their logos replaced with the SEA logo. Also the descriptions of the apps, which included the company’s Sky News, Sky Sports News, Sky Sports Football, Sky WiFi, Sky+ and Sky Go apps, were altered to read: “Syrian Electronic Army Was Here”. The screenshots for the apps were also replaced.

The attack of a Google Play account is something new for the SEA which until now  focused on breaching social media accounts of various media companies and western politicians. Normally once an account was hacked the SEA would publish false information. Last month the SEA launched an attack on AP’s twitter account and published a false tweet about the White House being bombed and President Barack Obama being injured. The tweet led to a multi-million dollar drop in the Dow.

According to another Sky account: “Due to a security breach Twitter has locked down @skyhelpteam & we are currently unable to tweet from it.” A Sky spokesman told the BBC it was working to reinstate its apps now that they have been taken offline.

Over the weekend, it was also reported by the Israeli press that the SEA had mounted a failed attempt to disrupt the water supply in the port city of Haifa. The Jerusalem Post said that the chairman of the Science Ministry’s National Council for Research and Development - Prof Yitzhak Ben Yisrael –  revealed that earlier this month the hackers tried to damage the computers controlling the city’s infrastructure .

Filed Under: Attacks, News, Security Tagged With: , , , ,

Microsoft and Adobe release patches for Critical vulnerabilities

May 15, 2013 by

microsoft logo(LiveHacking.Com) – Two of the biggest names in PC software have released patches for a variety of their respective software products to fix critical security related issues. Microsoft has released 10 security bulletins to address 33 vulnerabilities Microsoft Windows, Internet Explorer, .NET Framework, Lync, Office, and Windows Essentials. While Adobe has issued security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

Among the Microsoft patches are two cumulative updates for Internet Explorer. The first (MS13-037) resolves 11 issues in IE that could allow remote code execution if a user visits a specially crafted Web page using the browser. The second (MS13-038) addresses the Internet Explorer 8 remote code execution vulnerability that could affect users if they mistakenly follow a link, in an email or instant message, to a malicious website. This update to IE8 is important as it is the only currently supported version of IE that users of Windows XP can use.

Another interesting patch from Redmond is a security update that resolves an issue in Windows that could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.

Adobe’s updates include security updates for Adobe Flash Player for Windows, Macintosh, Linux and Android.  These updates address vulnerabilities that could cause a crash or potentially allow an attacker to take control of the affected system. The updates also affect Adobe AIR. All the patches are related to memory corruption issues that could be exploited allow an attacker to execute arbitrary code.

Adobe also updated Adobe Reader and Acrobat for Windows, OS X and Linux. As with the updates to flash, these patches address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The following versions are affected:  Adobe Reader and Acrobat XI (11.0.02) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.4 and earlier 9.x versions for Linux.

 

Filed Under: Adobe, Microsoft, News, Vulnerability Tagged With: , ,

Microsoft releases Fix It for critical Internet Explorer 8 vulnerability

May 9, 2013 by

fix_it(LiveHacking.Com) – Less than a week ago Microsoft revealed that version 8 of its web browser Internet Explorer suffers from a nasty remote code execution vulnerability that could catch users if they mistakenly follow a link, in an email or instant message, to a malicious website. Microsoft’s initial recommendation was to upgrade to IE 9 or IE 10 which unfortunately isn’t possible for Windows XP users.

For those stuck with IE 8, Microsoft suggested setting the Internet and local intranet security zone settings to “High” and configuring Internet Explorer to prompt before running any Active Scripting. Microsoft didn’t however mention one other important option – switch to Google Chrome or Mozilla Firefox!

If switching isn’t a option and you don’t know how to fiddle with the security zone settings, Microsoft has now released an “easy, one-click Fix it” to help mitigate this problem. The MSHTML Shim Workaround isn’t intended to be a replacement for a proper security update and Microsoft is suggesting that we all wait a day or two to see what it has planned for May’s Patch Tuesday, the implication being that the IE8 bug will be fixed then.

Filed Under: Microsoft, News, Vulnerability Tagged With: ,

China suspected to be behind U.S. Army Corps of Engineers database hack

May 3, 2013 by

dam(LiveHacking.Com) – U.S. intelligence agencies are treating a recent cyber attack and subsequent intrusion into a database belonging to the U.S. Army Corps of Engineers as a cyber attack from China. According to the Free Beacon, U.S. intelligence agencies have traced the hack to the Chinese government or military cyber warriors.

The compromised database belonged to the U.S. Army Corps of Engineers and held data about dams. The National Inventory of Dams (NID) contains information on possible vulnerabilities of some 8,000 dams across the United States. In a worst case scenario the attack is a preemptive move by China in preparation for future cyber attacks against the nations electrical infrastructure.

“The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information,” said Pete Pierce, a Corps of Engineers spokesman.

Upon discovering the unauthorized access the Corps of Engineers revoked the user’s access to the database.

The database collects information about dams which are either large (those that exceed 25 feet in height or exceed 50 acre-feet storage) and those that have a hazard classification because of the loss of human life that would result if the dam failed. The database was started in 1972 when laws came into effect that required cooperation between the Corps and the Federal Emergency Management Agency. These laws were updated in 2002 and 2006 to recognize that dams are part of critical U.S. infrastructure and require protection.

In January, a report published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, revealed that the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

Filed Under: Attack, Attacks, News Tagged With: ,

Microsoft patches Kernel-Mode driver after blue screen of death issues

April 24, 2013 by

microsoft logo(LiveHacking.Com) – Microsoft has released a new patch to replace the Kernel-Mode driver update which was released as part of April’s Patch Tuesday. Problems started to arise with the update and Microsoft had to pull the patch. Peculiar to Windows 7, the patch could put systems into a situation where they failed to recover from a reboot (as they just keep rebooting) or make certain applications (specifically from Kaspersky) fail.

According to a Microsoft knowledge base article the symptoms are either an Event ID 55 or a 0xc000021a Stop error during the boot process. The Event ID 55 will wrongly claim that file system structure on the disk is corrupt and unusable and force the run of the Chkdsk utility. The Stop error will simply say that the Session Manager Initialization system process terminated unexpectedly and the system will shutdown. Any attempt to reboot will likely results in the same stop code.

The new update, KB2840149, has been rebuilt and still addresses the Moderate security issue described in MS13-036 but without the previous problems. For those with automatic updates enabled, you won’t need to take any actions. If you are applying updates manually Microsoft recommends you apply this update as soon as possible.

Filed Under: Microsoft, News Tagged With: ,

Oracle updates Java, as does Apple

April 17, 2013 by

java-square(LiveHacking.Com) – Oracle has released a Critical Patch Update (CPU) for Java SE. The update, which affects Java 5, Java 6 and Java 7,  fixes 42 vulnerabilities within Java, the vast majority of which have been rated as the Critical.

Besides the fixes, the biggest change is to the Java security dialogs. Now JavaScript code that calls code within a privileged applet triggers warning dialogs if the signed JAR files are not tagged with the Trusted-Library attribute.

“The JDK 7u21 release enables users to make more informed decisions before running Rich Internet Applications (RIAs) by prompting users for permissions before an RIA is run. These permission dialogs include information on the certificate used to sign the application, the location of the application, and the level of access that the application requests,” said Oracle.

According to Oracle Executive Vice President Hasan Rizvi not all the known Java problems have been fixed, but there are no unpatched vulnerabilities that are being actively exploited in the wild.

Java has been prone to security vulnerabilities in the last few years and earlier this year a global hacking campaign managed to infected computers inside hundreds of companies, including Facebook, Apple and Twitter. In light of these threat the US Department of Homeland Security has previously recommended that users disable Java in the browser completely.

Apple

Gone are the days when Apple’s Java update would come several months after Oracle’s fixes. As is now becoming the norm, Apple released its updates on the same day as Oracle. Java for OS X 2013-003 and Mac OS X v10.6 Update 15 addresses multiple vulnerabilities Java, some of which could allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. To exploit this a hacker need only convince a user to visit a specially crafted web page with an untrusted Java applet. For more information Apple recommend reading the Java 6 update 45 release notes.

Apple also released a new version of its Safari web browser for OS X Lion v10.7.5, OS X Lion Server v10.7.5 and OS X Mountain Lion v10.8.3. It fixes problems where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. The problem was an invalid cast that existed in the handling of SVG files. For more information see the Safari 6.0.4 page on Apple’s website.

Filed Under: Apple, Java, News Tagged With: , , ,

Microsoft’s Patch Tuesday Kernel-Mode driver update causing problems

April 15, 2013 by

stop-_c000021a(LiveHacking.Com) – Last Tuesday Microsoft released nine security bulletins to address 14 different vulnerabilities in its products including one to fix vulnerabilities in Windows’ Kernel-Mode Driver that could allow an attacker to gain elevated privileges. Following the released of the patches reports started to appear about Windows 7 systems that fail to recover from a reboot (as they just keep rebooting) or applications (specifically from Kaspersky) that fails after the security update is applied. Microsoft recommends that customers uninstall this update and it has removed the download links to the update while it investigates.

According to a Microsoft knowledge base article the symptoms are either you receive an Event ID 55 or a 0xc000021a Stop error during the boot process. The Event ID 55 will wrongly claim that file system structure on the disk is corrupt and unusable and force the run of the Chkdsk utility. The Stop error will simply say that the Session Manager Initialization system process terminated unexpectedly and the system will shutdown. Any attempt to reboot will likely results in the same stop code.

According to Microsoft, systems with the update applied that use Kaspersky Anti-Virus for Windows Workstations or Kaspersky Anti-Virus for Windows Servers versions 6.0.4.1424 and 6.0.4.1611 may display an error message saying that the license for the product is not valid.

Filed Under: Microsoft, News Tagged With: ,

Microsoft fixes Critical IE and Remote Desktop flaws

April 10, 2013 by

Windows(LiveHacking.Com) – Microsoft has released a series of nine security bulletins, (two Critical and seven Important) to fix 14 different vulnerabilities in a range of its products including Microsoft Windows, Internet Explorer, Microsoft Antimalware and Windows Server Software.

The first of the two Critical level bulletins patches Internet Explorer against a remote code execution attack which could occur if users visited a specially crafted webpage using IE. A successful exploited would mean that the attacker would gain the same rights as the current user. The good news is that both of these IE issues were privately disclosed and Microsoft has not detected any attacks or customer impact. The vulnerabilities affect Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10.

There is also a remote code execution patch for Windows in connection with the Windows Remote Desktop Client ActiveX control. As with the IE bugs, this vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This bug is seen as Critical for the Remote Desktop Connection 6.1 Client and the Remote Desktop Connection 7.0 Client on Windows XP, Windows Vista, and Windows 7.

Although Windows 8 was not affected by the Remote Desktop vulnerability, it isn’t immune to other problems including an exclusive patch for problems with the Windows 8 antimalware client used in Windows Defender.

Microsoft received a private report about a vulnerability that could allow elevation of privilege due to the pathnames used by the Microsoft Antimalware Client. If successfully exploited an attacker could execute arbitrary code and take complete control of an affected system. This would allow them to install programs and create new accounts. The bulletin is marked as Important (and not Critical)  for Windows 8 and Windows RT as an attacker must have valid logon credentials to exploit the vulnerability.

Filed Under: Intenet Explorer, Microsoft, News, Vulnerability Tagged With: , ,
«Older Posts