HackrNews

The Conficker worm has been stepping up its activities with reports made of distributed denial of service (DDoS) attacks on a number of Russian websites.

David Harley, director of malware research at ESET, working with researchers from Arbor Networks, claimed that a Russian newspaper is stating that attacks on tonks.ru, roem.ru and others are evidence of Conficker stepping it up its activities

More check the article at scmagazineuk.com

Hackers have posted personal information on 1,200 Ebay customers to an Ebay forum, dedicated, ironically, to fraud prevention. The information was up for around an hour this morning before Ebay shut the forum down and displayed email details, CVV2 numbers, telephone numbers, home addresses and possibly credit card details to visitors.Ebay says the information was not acquired through a breach of its security and suggests it was likely obtained through phishing or account takeovers. The company also says that the credit card details displayed do not match those on either its own or PayPals servers.

The auction site is currently trying to contact the users whose details were posted and the Trust and Safety board on which the information was shown has since been reopened.

“Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users,” the company reports in its blog.

“The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid.”

“We’re in the process of reaching out by phone to these members so that if the information is valid somehow, regardless how this fraudster acquired the information, these members can take the steps they need to take to protect themselves.”

Source: PC Pro UK

Windows Live Search in Italy has been taken over by hackers according to reports. Security experts at Sunbelt software claim that certain queries typed into the search engine point to sites run by hackers. ‘It looks like the malware people have practically taken over Live search in Italy. 95 per cent or more of the following search results lead to extremely nasty malware and exploit sites,’ writes Alex Eckelberry. Rather than infiltrate Microsoft’s servers, the hackers appear to have employed SEO tactics to hijack the results of searches of specific keywords. Searches such as ‘online multimedia encyclopedia’, ‘online house insurance’ and ‘milan jacket’ land the searcher with a list of unsavoury sites.

Once the users were on the Live.com site apparently they were served up links to malware sites. The search engine itself was used as a conduit for sending people to the malicious search pages. This is yet another reason why search engines shouldn’t index XSS. Even if the site is benign, they would be indexing links to malicious pages on benign sites. Anyway, interesting read, and it’s scary that the SEO community is now dabbling in hacking as well. It was only a matter of time.

Hackers are starting to agitate for Microsoft to start paying for information on security flaws found in its software products.

The issue surfaced this week after the MSRC (Microsoft Security Response Team) posted a message on the sla.ckers.org message board, calling on third-party researchers to submit vulnerability information directly to Redmond before going public. 

The invitation — which extended to bugs found in all of Microsoft online web properties such as *.microsoft.com, *.msn.com and *.live.com — is part of Microsoft’s insistence on the concept of “responsible disclosure,” where researchers give advance notice to affected vendors but, for the first time, the response from hackers suggest it’s time for Microsoft to offering cash rewards for flaw information.

Immediately after Microsoft’s Sla.ckers.org post, “digi7al64″ replied with this:

I propose MS implement a reward system where you agree to pay cash for vulnerabilities found within your domains. The benefit of this I suggest would be flood of vulnerabilities reported the first few months which would tapper off to only 1 or 2 intermittently as new systems come online.

The cost of this type of project would be relatively low and if you placed a sliding scale on amount paid (based on the vun) I’m sure you could get away with it for less then 20-50k all told… which in the big scheme of things is a drop in ocean for MS.

Information on software defects are considered extremely valuable — vendors use it to improve the quality of products — but the existing “responsible disclosure” system gives the information for free to software vendors, even those with deep pockets.

The existence of third-party brokers like Verisign’s iDefense VCP and 3Com Tippingpoint’s ZDI has validated the market for software flaws and given white hat hackers a place to make money for their work but there is a growing feeling that the big vendors — especially Microsoft — should set up a bug-bounty program that tangibly rewards external researchers.

Microsoft’s official policy is that responsible disclosure works just fine and the credit given to bug finders in security bulletins is more than enough but a burgeoning black market and the spike in zero-day attacks provide proof that the status quo needs fixing.

Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, weighs in:

Now think about this… if given the option, how many of the organizations that have been outted would have gladly paid a voluntary reward for the disclosure and saved themselves the negative press? Probably a fair number would have participated. Also of course, if they choose not to participate, there’s nothing lost and things remain the same. Though if an organization budgeted say $10,000, which could help to eliminate a ton of XSS and SQL Injection issues. And at some point vulnerabilities would get much hard to find and system security would improve. Obviously a lot of details would have to be worked out to counteract any extortion or blackmail schemes. I’m not quite ready to begin recommending this approach, but I think it’s worth continuing a dialog over.

Chris Eng, director of security services at Veracode, urges caution, especially when it comes to auditing Web applications:

These posters either don’t realize or are conveniently ignoring the fact that it is illegal to stage unauthorized attacks against these websites to begin with. There are a lot of shady underground economies, but that doesn’t necessarily make them legal or ethical.

From the “neat-find-department” comes word from McAfee that Windows Vista is vulnerable to a Sticky Keys backdoor that could be exploited — under perfect circumstances — to launch malicious executables.

McAfee researcher Vinoo Thomas said the security risk, which is already well-known on Windows XP, exists because Windows Vista does not check the integrity of the Sticky Keys file (%systemroot%windowssystem32sethc.exe) before executing it.

Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is “cmd.exe.” After replacement, one could invoke this command prompt at the login prompt without the need to authenticate,” Thomas said in a note posted on the McAfee Avert blog.

Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authoritysystem account. And from this point on an attacker has full access to the system.

Although this is considered a neat find, it is hardly a critical issue that puts uses at risk of remote code execution attacks.  For starters, as Thomas himself admits, an attacker must already be logged in as an administrator to replace the executable.  

An attacker with full admin rights already owns the box so it makes little sense to be manipulating executables to exploit a built-in backdoor.  McAfee’s Thomas suggests it could still be useful, warning that a determined attacker can always find workarounds to elevate user rights and use the backdoor to create a new user, add the new user to the administrators group via the net command and then use the account to rightfully log in using the certain commands.

Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to archive this, it will be difficult to detect for a typical administrator.

[NOTE: Sticky Keys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as Shift, Ctrl, Alt, or the windows key, and have it remain active until another key is pressed. Windows Vista users can activate the feature by pressing the Shift key five times].

Source: ZDNet.com