Hackers on Friday infiltrated the website of the Apache Software Foundation, which provides open-source code for more than 50 percent of web servers on the internet. Web security experts cautioned that recent downloads from the Apache.org site may not be secure.
Apache said Friday that attackers compromised the SSH key encryption through an account on a third-party hosting provider and were able to upload files to an Apache server, according to Threatpost.com.
"To the best of our knowledge at this time, no end users were affected by this incident and the attackers were not able to escalate their privileges on any machines," Apache said in a blog post on Friday. "While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided."
Apache's website was down for several hours on Friday before the group moved hosting to uncompromised servers based in Europe, according to the Register.
Security firm MX Logic said on its IT security blog that Apache is a potential high-value target for criminals because of the high proportion of web servers running its software.
"[A]ny infected software downloads could lead to backdoors in systems that install binaries with embedded Trojans," the company said.
Monthly Archives: August 2009
Skype Trojan malware can secretly record VoIP calls
Security researchers have spotted attack code published on the web that could allow hackers to secretly record audio and video sent over the Skype VoIP service. The Trojan malware called Skype.Peskyspy records Skype calls and stores them as an mp3 file for later transmission.
The Trojan injects a dll component into a Skype process and then hooks the "send" and "recv" APIs in Skype to the Trojan's own custom functions, according to web security firm Sophos.
"This allows the Trojan to extract and save the audio and video data and send it back to the attacker," wrote SophosLabs researcher Richard Cohen on the company's blog.
Although Skype secures the data while it's being transmitted between callers, the Trojan can intercept the data at the sender or receiver end.
"In this case, you yourself can be secured to the hilt, but if the person you're talking to on Skype has a Trojan installed then it's still going to steal the words right out of your mouth," Cohen wrote.
The Trojan was discovered by a major internet security firm, which reported that the Trojan is being spread via email links and social engineering attacks in spam emails and messages, according to the Tech Herald.
The Trojan injects a dll component into a Skype process and then hooks the "send" and "recv" APIs in Skype to the Trojan's own custom functions, according to web security firm Sophos.
"This allows the Trojan to extract and save the audio and video data and send it back to the attacker," wrote SophosLabs researcher Richard Cohen on the company's blog.
Although Skype secures the data while it's being transmitted between callers, the Trojan can intercept the data at the sender or receiver end.
"In this case, you yourself can be secured to the hilt, but if the person you're talking to on Skype has a Trojan installed then it's still going to steal the words right out of your mouth," Cohen wrote.
The Trojan was discovered by a major internet security firm, which reported that the Trojan is being spread via email links and social engineering attacks in spam emails and messages, according to the Tech Herald.
Researchers crack WPA Wi-Fi encryption in 60 seconds
Two Japanese researchers have found a way to break the encryption of data sent over Wi-Fi Protected Access (WPA), a security protocol for transmitting information via 802.11 wireless LAN, in about 60 seconds.
The hack builds on an attack devised in 2008 by two researchers (Beck and Tews) who managed to crack WPA encryption of short packets of data in 12 to 15 minutes.
In their paper, Toshihiro Ohigashi and Masakatu Morii describe a practical message falsification attack on any WPA implementation that uses the Beck and Tews method in a man-in-the-middle attack (MITM).
In the MITM attack, the user's communication is intercepted by an attacker until the attack ends. Since the victims of the attack might detect it if the attack window is large, the researchers used methods for reducing the execution time of the attack to about one minute.
This attack only works on WPA encryption and cannot recover the WPA encryption key.
WPA2 with AES encryption is now standard on most Wi-Fi products. Hackers have not been able to break the encryption of these formats.
The hack builds on an attack devised in 2008 by two researchers (Beck and Tews) who managed to crack WPA encryption of short packets of data in 12 to 15 minutes.
In their paper, Toshihiro Ohigashi and Masakatu Morii describe a practical message falsification attack on any WPA implementation that uses the Beck and Tews method in a man-in-the-middle attack (MITM).
In the MITM attack, the user's communication is intercepted by an attacker until the attack ends. Since the victims of the attack might detect it if the attack window is large, the researchers used methods for reducing the execution time of the attack to about one minute.
This attack only works on WPA encryption and cannot recover the WPA encryption key.
WPA2 with AES encryption is now standard on most Wi-Fi products. Hackers have not been able to break the encryption of these formats.
Report: Adobe Flash is ‘biggest security hole’ on the web
In the weeks since Adobe released a critical patch for Flash and Acrobat Reader, research from security firm Trusteer shows that almost 80 percent of internet users are still running unpatched versions.
Based on a survey of the company's 2.5 million customers in North America and Europe, Trusteer said the number of vulnerable users represents "the biggest security hole on the internet today and the failure of Adobe to address it in a timely manner is extremely troubling."
Last month, security researchers discovered exploits of a Flash vulnerability that could infect PCs with Trojan malware upon users opening a malicious Adobe Acrobat PDF file, which caused Adobe to rush a security updates for Flash Player, Acrobat and Reader.
According to Adobe, 99 percent of internet users run Flash. By comparison, Internet Explorer is only used by 65 percent of internet users, while Firefox is used by about 30 percent.
"Given these numbers, it is not surprising that criminals are much more focused today on Flash and Acrobat," Trusteer said in an advisory earlier this month.
Security firm Sophos has identified Flash-exploiting malware embedded in Microsoft Excel files and predicted malware authors will use PowerPoint and Word to spread Flash-based attacks.
Based on a survey of the company's 2.5 million customers in North America and Europe, Trusteer said the number of vulnerable users represents "the biggest security hole on the internet today and the failure of Adobe to address it in a timely manner is extremely troubling."
Last month, security researchers discovered exploits of a Flash vulnerability that could infect PCs with Trojan malware upon users opening a malicious Adobe Acrobat PDF file, which caused Adobe to rush a security updates for Flash Player, Acrobat and Reader.
According to Adobe, 99 percent of internet users run Flash. By comparison, Internet Explorer is only used by 65 percent of internet users, while Firefox is used by about 30 percent.
"Given these numbers, it is not surprising that criminals are much more focused today on Flash and Acrobat," Trusteer said in an advisory earlier this month.
Security firm Sophos has identified Flash-exploiting malware embedded in Microsoft Excel files and predicted malware authors will use PowerPoint and Word to spread Flash-based attacks.
Will Mac OS X 10.6 Snow Leopard include antivirus protection?
Filed under Security News
Tagged as 10.6, antivirus, Mac OS X, OSX.RSPlug.A, OSX/Puper, Snow Leopard, trojan
Tagged as 10.6, antivirus, Mac OS X, OSX.RSPlug.A, OSX/Puper, Snow Leopard, trojan
Mac OS X 10.6 Snow Leopard, the newest version of the Mac operating system that goes on sale Friday, may contain an antivirus scanner application, according to several security blogs that cover Macs.
The rumor mills started working due to a screen shot showing what appears to be an antivirus scanner on Snow Leopard detecting a Trojan download from the Safari web browser. The screen shot shows the scanner identifying the Trojan as OSX.RSPlug.A.
OSX.RSPlug.A, also known as OSX/Puper, has been spotted by security researchers disguised as a Mac Cinema installer that attempts to download other malware.
According to security researchers at McAfee, the attack appears to users as a disk image, which launches an installer application for the phony Mac Cinema software. Once the installer completes its task, the user becomes infected with a script file named AdobeFlash.
Other Mac malware, known as Jahlav, has been seen in the wild posing as pirated versions of legitimate applications.
The Jahlav Trojan modifies a Mac's DNS settings, allowing Mac users to be victimized by phishing attacks or surreptitiously redirected to websites hosting malicious exploits, Trend Micro reported on its malware blog.
The rumor mills started working due to a screen shot showing what appears to be an antivirus scanner on Snow Leopard detecting a Trojan download from the Safari web browser. The screen shot shows the scanner identifying the Trojan as OSX.RSPlug.A.
OSX.RSPlug.A, also known as OSX/Puper, has been spotted by security researchers disguised as a Mac Cinema installer that attempts to download other malware.
According to security researchers at McAfee, the attack appears to users as a disk image, which launches an installer application for the phony Mac Cinema software. Once the installer completes its task, the user becomes infected with a script file named AdobeFlash.
Other Mac malware, known as Jahlav, has been seen in the wild posing as pirated versions of legitimate applications.
The Jahlav Trojan modifies a Mac's DNS settings, allowing Mac users to be victimized by phishing attacks or surreptitiously redirected to websites hosting malicious exploits, Trend Micro reported on its malware blog.
Phishing attacks drop: Are computer users smarter?
The number of spam emails consisting of phishing spam - which is designed to trick recipients into divulging their personal information - has dropped by at least half this year, in a sign that computer users are getting wise to the attacks.
According to the mid-year online threat report from IBM, phishing made up just 0.1 percent of all spam in the first six months of this year, down from 0.2 percent to 0.8 percent of spam during the first half of 2008.
Although phishing still results in identity theft and fraud on a discomforting scale - as many as 55,000 new victims each month, according to one report - Kris Lamb, director of the X-Force research team at IBM, said computer users are getting better at identifying fraudulent emails and websites, according to the Associated Press.
Anti-virus protection software and better web browsers, which use reputation-based software to block websites that may host malware or phishing pages - could also have led to the drop-off.
However, cybercriminals may just be moving on to other tactics, such as targeting users of web 2.0 sites like Facebook and Twitter.
A number of rogue applications were spotted last week on Facebook that send messages with links to a phishing website for stealing login credentials. The apps attempt to harvest users' Facebook login names and passwords in order to send out more phishing spam from their accounts.
According to the mid-year online threat report from IBM, phishing made up just 0.1 percent of all spam in the first six months of this year, down from 0.2 percent to 0.8 percent of spam during the first half of 2008.
Although phishing still results in identity theft and fraud on a discomforting scale - as many as 55,000 new victims each month, according to one report - Kris Lamb, director of the X-Force research team at IBM, said computer users are getting better at identifying fraudulent emails and websites, according to the Associated Press.
Anti-virus protection software and better web browsers, which use reputation-based software to block websites that may host malware or phishing pages - could also have led to the drop-off.
However, cybercriminals may just be moving on to other tactics, such as targeting users of web 2.0 sites like Facebook and Twitter.
A number of rogue applications were spotted last week on Facebook that send messages with links to a phishing website for stealing login credentials. The apps attempt to harvest users' Facebook login names and passwords in order to send out more phishing spam from their accounts.
Cisco wireless LAN access points vulnerable to hacker attack
Filed under Security News
Tagged as access point, AirMagnet, AP, Cisco, flaw, LAN, OTAP, Over-the-Air-Provisioning, security, wireless
Tagged as access point, AirMagnet, AP, Cisco, flaw, LAN, OTAP, Over-the-Air-Provisioning, security, wireless
Security researchers at AirMagnet have uncovered a security flaw in Cisco's wireless LAN infrastructure that could allow a hacker to hijack a wireless access point to gain access to a customer's network.
The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points (APs). The OTAP feature allows a Cisco AP that is not connected to a Cisco controller to listen to traffic from other nearby Cisco APs and use that information to quickly locate a nearby WLAN controller to associate to.
AirMagnet said there is an unintentional exposure or leakage of information in all lightweight Cisco APs and the potential for APs to be incorrectly assigned to an outside Cisco controller (what the researchers call "SkyJacked") either by accident or at the direction of a potential hacker.
The potential exists for the Cisco AP to "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller and therefore being under outside control.
This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise's access point.
AirMagnet said it has informed Cisco of this vulnerability and potential exploit. Cisco is "taking appropriate actions."
The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points (APs). The OTAP feature allows a Cisco AP that is not connected to a Cisco controller to listen to traffic from other nearby Cisco APs and use that information to quickly locate a nearby WLAN controller to associate to.
AirMagnet said there is an unintentional exposure or leakage of information in all lightweight Cisco APs and the potential for APs to be incorrectly assigned to an outside Cisco controller (what the researchers call "SkyJacked") either by accident or at the direction of a potential hacker.
The potential exists for the Cisco AP to "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller and therefore being under outside control.
This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise's access point.
AirMagnet said it has informed Cisco of this vulnerability and potential exploit. Cisco is "taking appropriate actions."
Hacker in Heartland data breach a ‘fall guy’ for Russians?
IT security experts are suggesting that 28-year-old Albert Gonzales, who was indicted last week for involvement in the massive data breach of Heartland Payment Systems, may just be a fall guy for more expert hackers who have escaped justice in Russia.
Gonzales was charged last Monday with conspiracy and wire fraud for involvement along with two unnamed Russian co-conspirators hacking the network firewalls of Heartland Payment Systems, along with retail chains 7-Eleven and Hannaford Brothers.
Gonzales was already in custody and facing trial in two other hacking cases for data theft from TJX and another retailer.
But security experts say Gonzales may have just been "the tip of the iceberg" and not the real mastermind behind the attacks, who are likely connected to criminal gangs in Russia and elsewhere in Eastern Europe.
Writing at the Trend Micro malware blog, security researcher Paul Ferguson said there is "an entire Eastern European organized criminal operation that is further along in this food chain."
Richard Koman, writing for ZDNet, said Gonzales may have been "a low-level purveyor of data" who was used by the Russians for "scope-out work" to locate the vulnerabilities exploited by the other hackers.
Gonzales was charged last Monday with conspiracy and wire fraud for involvement along with two unnamed Russian co-conspirators hacking the network firewalls of Heartland Payment Systems, along with retail chains 7-Eleven and Hannaford Brothers.
Gonzales was already in custody and facing trial in two other hacking cases for data theft from TJX and another retailer.
But security experts say Gonzales may have just been "the tip of the iceberg" and not the real mastermind behind the attacks, who are likely connected to criminal gangs in Russia and elsewhere in Eastern Europe.
Writing at the Trend Micro malware blog, security researcher Paul Ferguson said there is "an entire Eastern European organized criminal operation that is further along in this food chain."
Richard Koman, writing for ZDNet, said Gonzales may have been "a low-level purveyor of data" who was used by the Russians for "scope-out work" to locate the vulnerabilities exploited by the other hackers.
Hacker attack forces shutdown of Michael Savage website
The website of controversial radio talk show host Michael Savage was forced to shut down for an hour on Saturday after a hacker infiltrated the site, according to WorldNetDaily.
WorldNetDaily reported that the hacker had broken in through a feedback portal and "damaged" the site. Savage, who has been placed on a list of banned people in the UK for spreading hatred, blamed Britain for the hack on his website.
Savage has been critical of the UK over the recent release of the convicted bomber of the flight over Lockerbie, Scotland, Abdelbaset Ali al-Megrahi, who has since returned to his native Libya.
"Why on the day of the worldwide furor over the release of the Lockerbie bomber by [British Prime Minister] Gordon Brown would Michael Savage's website be hacked?" Savage said, according to WorldNetDaily. "We cannot say who did this, but would it not be a possibility that the Brits themselves ordered this hack attack?"
Political hackers often use methods like a SQL injection attack to infiltrate web servers and post digital graffiti on websites.
Earlier this month, hackers broke into the websites of several members of the U.S. House of Representatives, replacing portions of their home pages with digital graffiti, according to the Washington Post Security Fix blog.
WorldNetDaily reported that the hacker had broken in through a feedback portal and "damaged" the site. Savage, who has been placed on a list of banned people in the UK for spreading hatred, blamed Britain for the hack on his website.
Savage has been critical of the UK over the recent release of the convicted bomber of the flight over Lockerbie, Scotland, Abdelbaset Ali al-Megrahi, who has since returned to his native Libya.
"Why on the day of the worldwide furor over the release of the Lockerbie bomber by [British Prime Minister] Gordon Brown would Michael Savage's website be hacked?" Savage said, according to WorldNetDaily. "We cannot say who did this, but would it not be a possibility that the Brits themselves ordered this hack attack?"
Political hackers often use methods like a SQL injection attack to infiltrate web servers and post digital graffiti on websites.
Earlier this month, hackers broke into the websites of several members of the U.S. House of Representatives, replacing portions of their home pages with digital graffiti, according to the Washington Post Security Fix blog.
Hackers prefer Firefox, Opera web browsers
Hackers prefer to use the Firefox and Opera web browsers, according to web security researcher Paul Royal of Purewire, who spent three months monitoring the activity of hackers who use exploit toolkits.
Royal said hackers likely prefer Opera, which 26 percent use, because its overall marketshare is only about 2 percent, meaning few other hackers bother to write malware to attack that browser. Mozilla's Firefox browser was used by 46 percent of the hackers, Royal said, according to a report from the UK Register.
Hackers are likely aware of the exploits that plague the most popular browser, Microsoft's Internet Explorer (IE). "It makes them wary of using mainstream browsers," Royal said, according to the Register.
IE has been exploited recently by flaws in the Video ActiveX controls, the subsystem that allows IE users to watch videos in the browser. The company has issued multiple security updates to fix flaws in that system, including an "out-of-band" patch earlier this month.
The latest version, IE8, surpassed other browsers in a security test sponsored by Microsoft and run by an independent research lab.
Royal said hackers likely prefer Opera, which 26 percent use, because its overall marketshare is only about 2 percent, meaning few other hackers bother to write malware to attack that browser. Mozilla's Firefox browser was used by 46 percent of the hackers, Royal said, according to a report from the UK Register.
Hackers are likely aware of the exploits that plague the most popular browser, Microsoft's Internet Explorer (IE). "It makes them wary of using mainstream browsers," Royal said, according to the Register.
IE has been exploited recently by flaws in the Video ActiveX controls, the subsystem that allows IE users to watch videos in the browser. The company has issued multiple security updates to fix flaws in that system, including an "out-of-band" patch earlier this month.
The latest version, IE8, surpassed other browsers in a security test sponsored by Microsoft and run by an independent research lab.