Lucian Constantin

Author Archives: Lucian Constantin

A Linux botnet is launching crippling DDoS attacks at more than 150Gbps

A Linux botnet has grown so powerful that it can generate crippling distributed denial-of-service attacks at over 150 Gbps, many times greater than a typical company's infrastructure can withstand.The malware behind the botnet is known as XOR DDoS and was first identified in September last year. Attackers install it on Linux systems, including embedded devices such as WiFi routers and network-attached storage devices, by guessing SSH (Secure Shell) login credentials using brute-force attacks.The credentials are used to log into the vulnerable systems and execute shell commands that download and install the malicious program. To hide its presence, the malware also uses common rootkit techniques.To read this article in full or to leave a comment, please click here

Newly found TrueCrypt flaw allows full system compromise

Windows users who rely on TrueCrypt to encrypt their hard drives have a security problem: a researcher has discovered two serious flaws in the program.TrueCrypt may have been abandoned by its original developers, but it remains one of the few encryption options for Windows. That keeps researchers interested in finding holes in the program and its spin-offs.James Forshaw, a member of Google's Project Zero team that regularly finds vulnerabilities in widely used software, has recently discovered two vulnerabilities in the driver that TrueCrypt installs on Windows systems.The flaws, which were apparently missed in an earlier independent audit of the TrueCrypt source code, could allow attackers to obtain elevated privileges on a system if they have access to a limited user account.To read this article in full or to leave a comment, please click here

After pushing malware, ad networks also used for DDoS

Rogue online advertisements that infect computers with malware have become a common occurrence on the Internet. But now, it appears, hackers have also figured out how to launch crippling distributed denial-of-service (DDoS) attacks through ad networks.The DDoS mitigation team at CloudFlare recently observed a large-scale attack which they believe was the result of malicious ads being loaded inside apps and browsers on mobile devices.The attack, which targeted one of the company's customers, peaked at 275,000 HTTP requests per second and was launched from over 650,000 unique IP (Internet Protocol) addresses, most of them from China.What was interesting about this attack was that the requests appeared to be generated by real browsers, not scripts or malware, as are typically used in HTTP-based DDoS attacks. Furthermore, an analysis of the request headers indicated that almost 80 percent of the devices generating the traffic were smartphones and tablets.To read this article in full or to leave a comment, please click here

Silent Circle aims at the enterprise market with Blackphone 2

Silent Circle's second privacy-focused device, the Blackphone 2, is designed to meet the management and security needs of enterprises, while not alienating workers who will end up using it for their personal affairs as well. The phone, launched Monday, integrates with Google's Android for Work program, which allows companies to manage and secure the Android devices of their employees. The phone also works with major device management platforms including those from MobileIron, Citrix, Good and SOTI. One of the most important new features of Blackphone 2 is called Spaces and allows users to create virtual phone environments with different security settings.To read this article in full or to leave a comment, please click here

Cookie handling in browsers can break HTTPS security

Cookies, the files that websites create in browsers to remember logged-in users and track other information about them, could be abused by attackers to extract sensitive information from encrypted HTTPS connections.The issue stems from the fact that the HTTP State Management standard, or RFC 6265, which defines how cookies should be created and handled, does not specify any mechanism for isolating them or checking their integrity.As such, Web browsers don't always authenticate the domains that set cookies. That allows malicious attackers to inject cookies via plain HTTP connections that would later be transmitted for HTTPS connections instead of those set by the HTTPS sites themselves, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University said in an advisory Thursday.To read this article in full or to leave a comment, please click here

New malware program infects ATMs, dispenses cash on command

Security researchers have discovered a new malware program that infects automated teller machines (ATMs) and allows attackers to extract cash on command.The program is dubbed GreenDispenser and was detected in Mexico. However, it's only a matter of time until similar attacks are adopted by cybercriminals in other countries, researchers from security firm Proofpoint said in a blog post.GreenDispenser is not the first malware program to target ATMs. In October 2013, security researchers from Symantec warned about a backdoor called Ploutus that could infect ATMs when a new boot disk is inserted into their CD-ROM drives.To read this article in full or to leave a comment, please click here

Ransomware pushers up their game against small businesses

After extorting millions from consumers over the past few years, file-encrypting ransomware creators are increasingly focusing their attention on victims who are more likely to pay up: small and medium-sized businesses.Throughout June and July, over 67 percent of users who clicked on malicious links in CryptoWall-related emails were from the SMB sector, researchers from antivirus vendor Trend Micro found. An additional 17 percent were from within large enterprises.CryptoWall is one of the most widespread ransomware programs, infecting nearly 625,000 systems between March and August 2014 and many more since then. Researchers estimate that it has earned well over $1 million for its creators.To read this article in full or to leave a comment, please click here

OPM underestimated the number of stolen fingerprints by 4.5 million

The number of people whose fingerprints have been stolen as a result of the high-profile hack into the computer systems of the U.S. Office of Personnel Management earlier this year is now 5.6 million.The agency revised its original estimate of 1.1 million Wednesday after finding fingerprint data in archived records that had previously not been taken into account.This does not change the overall number of 21.5 million former, current and prospective federal employees and contractors whose Social Security numbers, personal information and background investigation records were exposed in the breach.The OPM announced in June that it was the target of a cybersecurity breach that resulted in the theft of personnel data including full names, birth dates, home addresses, and Social Security numbers of 4.2 million current and former government employees.To read this article in full or to leave a comment, please click here

Thousands of iOS apps infected by XcodeGhost

The impact of iOS app developers unknowingly using a rogue version of the Xcode development tool is turning out to be greater than initially thought: early reports listed just 39 apps that had been trojanized with the tool, but security researchers have since identified thousands more.On Friday, security research firm Palo Alto Networks reported that 39 apps found in the App Store had been compromised after their developers -- most of them located in China -- used a rogue version of Xcode that had been distributed on forums. Xcode is a development tool for iOS and OS X apps provided by Apple.To read this article in full or to leave a comment, please click here

HP adds protection against firmware attacks to enterprise printers

Researchers have been demonstrating attacks against printers for years. Now, Hewlett-Packard has started building defenses directly into its printers' firmware instead of just patching individual vulnerabilities.The company's new M506, M527 and M577 series of LaserJet Enterprise printers, set to go on sale in October and November, will have built-in detection for unauthorized BIOS and firmware modifications.HP refers to this capability as "self-healing security," but it's actually a set of code integrity checking mechanisms that security researchers have asked embedded systems manufacturers to implement for years.One of the new features, called HP Sure Start, validates the integrity of the BIOS code at boot time and if any modification is detected, it reboots the device and loads a clean copy. This is based on a similar feature that HP's Elite line of PCs have had since 2013.To read this article in full or to leave a comment, please click here

Hack iOS 9 and get $1 million, cybersecurity firm says

The market for unpatched vulnerabilities has grown so much that an exploit reseller is willing to pay US$1 million dollars for an attack that can compromise iOS 9 devices.Zerodium, an exploit acquisition company, promises to pay $1 million to researchers who can provide it with an "exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices."In the context of iOS devices, jailbreaking refers to bypassing the security restrictions enforced by the mobile operating system in order to install applications that haven't been authorized by Apple and are not distributed through the official app store.To read this article in full or to leave a comment, please click here

Critical Flash Player updates patch 23 flaws

Adobe Systems released new updates for Flash Player to patch critical vulnerabilities that could allow attackers to install malware on computers.The updates fix a total of 23 flaws, of which 18 can potentially be exploited to execute malicious code on the underlying systems. Adobe is not aware of any exploits being publicly available for the fixed vulnerabilities.The other flaws could lead to information disclosure, bypassing of the same-origin policy mechanism in browsers and memory leaks. Two of the patches are adding or improving protections against vector length corruptions and malicious content from vulnerable JSONP callback APIs used by JavaScript programs running in browsers.To read this article in full or to leave a comment, please click here

Malware implants on Cisco routers revealed to be more widespread

Attackers have installed malicious firmware on nearly 200 Cisco routers used by businesses from over 30 countries, according to Internet scans performed by cybercrime fighters at the Shadowserver Foundation. Last Tuesday, FireEye subsidiary Mandiant warned about new attacks that replace the firmware on integrated services routers from Cisco Systems. The rogue firmware provides attackers with persistent backdoor access and the ability to install custom malware modules. At the time Mandiant said that it had found 14 routers infected with the backdoor, dubbed SYNful Knock, in four countries: Mexico, Ukraine, India and the Philippines. The affected models were Cisco 1841, 2811 and 3825, which are no longer being sold by the networking vendor.To read this article in full or to leave a comment, please click here

Attackers install highly persistent malware implants on Cisco routers

Replacing router firmware with poisoned versions is no longer just a theoretical risk. Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on business routers in four countries.The router implant, dubbed SYNful Knock, provides attackers with highly privileged backdoor access to the affected devices and persists even across reboots. This is different than the typical malware found on consumer routers, which gets wiped from memory when the device is restarted.SYNful Knock is a modification of the IOS operating system that runs on professional routers and switches made by Cisco Systems. So far it was found by Mandiant researchers on Cisco 1841, 8211 and 3825 "integrated services routers," which are typically used by businesses in their branch offices or by providers of managed network services.To read this article in full or to leave a comment, please click here

Website hackers hijack Google webmaster tools to prolong infections

Hackers who compromise websites are also increasingly verifying themselves as the owners of those properties in Google's Search Console. Under certain circumstances this could allow them to remain undetected longer than they otherwise would be, researchers warn.The Google Search Console, formerly known as the Google Webmaster Tools, is a very useful service for administrators to understand how their websites perform in search results.In addition to providing analytics about search queries and traffic, it also allows webmasters to submit new content for crawling and to receive alerts when Google detects malware or spam issues on their websites.To read this article in full or to leave a comment, please click here

Cyberattack exposes 10 million records at US health insurer Excellus

Hackers have penetrated the IT systems of U.S. health insurer Excellus BlueCross BlueShield and gained access to personal, financial and medical information of more than 10 million people, the company disclosed Thursday.The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.To read this article in full or to leave a comment, please click here

Ashley Madison coding blunder made over 11 million passwords easy to crack

Until today, the creators of the hacked AshleyMadison.com infidelity website appeared to have done at least one thing well: protect user passwords with a strong hashing algorithm. That belief, however, was painfully disproved by a group of hobbyist password crackers.The 16-man team, called CynoSure Prime, sifted through the Ashley Madison source code that was posted online by hackers and found a major error in how passwords were handled on the website.They claim that this allowed them to crack over 11 million of the 36 million password hashes stored in the website's database, which has also been leaked.A few weeks ago such a feat seemed impossible because security experts quickly observed from the leaked data that Ashley Madison stored passwords in hashed form -- a common security practice -- using a cryptographic function called bcrypt.To read this article in full or to leave a comment, please click here

Turla cyberespionage group exploits satellite Internet links for anonymity

A cyberespionage group of Russian origin that targets governmental, diplomatic, military, educational and research organizations is hijacking satellite-based Internet connections in order to hide their servers from security researchers and law enforcement agencies.The group is known as Epic Turla, Snake or Uroburos and even though some of its operations were first uncovered in February 2014, it has been active for at least eight years.To read this article in full or to leave a comment, please click here

Microsoft patches yet another Hacking Team zero-day exploit

Over two months after Italian surveillance software maker Hacking Team had its internal data leaked by hackers, vendors are apparently still fixing zero-day exploits from the company's arsenal.On Tuesday, Microsoft published 12 security bulletins covering 56 vulnerabilities in the new Edge browser, Internet Explorer, Windows, Office, Skype for Business, .NET Framework and some of its other software products.To read this article in full or to leave a comment, please click here

Blurred lines: Cyberespionage group caught borrowing banking malware code

A group of hackers that target military and government organizations has recently borrowed code from an old online banking Trojan called Carberp, further blurring the line between cybercrime and cyberespionage.The hacker group is known by various names in the security industry, including Pawn Storm and APT28. Its primary malware tool is a backdoor program called Sednit or Sofacy.The group has been active since at least 2007 and has targeted governmental, security and military organizations from NATO member countries, as well as defense contractors and media organizations, Ukrainian political activists and Kremlin critics.To read this article in full or to leave a comment, please click here

1 46 47 48 49 50 58