Middlebury

 

 

Threat Bulletins

Flash Player

Java 0-Day

UPnP Vulnerability

 

Security News

News ≈ Packet Storm (5)
Packet Storm

Amazon Gains Government Clearance

1 hour 46 min ago

Apache Darkleech Attacks Increasing

2 hours 2 min ago

Gitmo Wifi Disabled Due To Threat From Anonymous

13 hours 28 min ago

Google Dorking Reporters Branded As Hackers

13 hours 28 min ago

Hack Attack On CNN

13 hours 28 min ago

Security Articles

Study Finds More Than 10,000 ID Fraud Rings In the U.S.
Georgia, South Carolina, and Florida are among the hotspots for identity theft

The misuse of personally identifiable information (PII) can take many forms, from the filing of fraudulent bank applications with stolen information, to manipulating personal data, to game unsuspecting companies. In a new study released today, ID Analytics' ID: A Labs reveals that this murky underworld is comprised of more than 10,000 identity fraud rings that are operating in the U.S. alone -- many of which are groups of families and friends as opposed to organized crime.

The study analyzed more than 1 billion applications for wireless services, bank cards, and retail credit cards, and uncovered identity fraud rings attacking all three industries. According to the study, Georgia, Florida, and the Carolinas are hotbeds for fraudulent activities across all three industries. Wireless carriers got hit the worst, the report notes.

There are several types of identity fraud, ranging from criminals who become aware of enough information about a specific account to impersonate a victim and take unauthorized actions, to targeting a specific individual and then assuming that person's persona. There is also "synthetic identity fraud," where an identity is completely fabricated and used to commit fraud, as well as people who make subtle or slight changes to their PII in order to commit fraud.

Another emerging fraud trend which is not identity fraud is that of credit muling, which involves paying a person to use their legitimate PII with the intention to defraud. Note that this is not really identity fraud since the applicant is using only their correct identity information; it's just that they have no intention to repay the debt. This technique is becoming more frequent with wireless customers who have previously earned a decent credit rating.

The report offered no insight into how the fraud rings were actually stealing information. However, it did create a profile of some of the rings, many of which comprise groups of friends and family members, rather than professional crime groups. These familial-based groups often improperly share their personal information with each other and use it as part of fraud schemes.

In one example, the report cited a friends-and-family identity fraud ring in the Indianapolis area that consists of a male and female over the age of 70, a woman who is 48 with the same family name, and a second woman who is 48 with a different last name. All the members of the ring used multiple Social Security numbers and last names, and three used alternate first names and birthdays. According to the report, this ring perpetuated 345 falsified credit card applications and a fraudulent payday loan.

Two-factor authentication, using either hardware tokens, software tokens, or lookup tables, is in use by major finance institutions and other high-risk systems. Passwords should not be considered fool-proof. Passwords can be easily compromised, whereas some form of two-factor authentication is not so easy to defeat. For access control to vital data, two-factor authentication should be considered as another tool in a corporation's general security strategy.

 

Phishing: what is it and how to protect against it.

            Phishing is a scam used by internet attackers to try to gather your personal information. They impersonate business, acquaintances, or other trustworthy sources with miss leading information in the hopes of getting you to expose your information. Some scams simply ask for your information out right. Other scams may ask you to send money.

Recently there have been a rash of phishing attacks that have come to Middlebury which have been asking their victims to visit web sites. Many of these sites have been hidden behind links pretending to be other web sites. The links in the email messages may appear to be government or business sites with connections to malicious sites hiding behind them. Some of these we have been able to block with the security tools employed here at Middlebury. The more malicious of these phishing attacks have been leveraging web sites such as Google Docs or Yahoo to gather the information that they are looking for from their victims. Because of the prevalence of these more commercial sites we are unable to block the attacks.

So how can you protect yourself. The first trick is to know how to spot a phishing attack. Recognize that reputable sites, such as your bank or other vendors, will either have identifying information in their messages or simply will not have links in their email. Many banks now contain security blocks in the corner of their email messages with details that can only come from the bank. If you receive an email from a vendor such as a bank, the best practice is not to click on the link but rather to manually enter the web address into your browser. If you ever receive an email that seems suspicious, delete the message. The following links have examples of Phishing attacks to help you better understand what these attacks might look like.

http://onguardonline.gov/articles/0003-phishing

http://www.middlebury.edu/offices/technology/security

New Phishing Attack:

There is a new form of a phishing attack that I have seen coming into our network that is particularly well crafted. I wanted to raise awareness among our teams of these. The Subject line will indicate that the message is from a known vendor. The two I have seen have had subject lines such as, "Trend Micro: Get your ... White Paper today!" The other was along the lines of, "Bank of America provides security update on . . ."

Where these emails get you is not in the typical hook in some message but when you open the email or preview it it simply has a one line hyper-link that says, "If you are having trouble viewing this message view the online version." Which happily takes you to a malicious site. Please watch for these attacks.

 

Java 7 Update 6 Vulnerability

You may have recently heard or read about a new wide-spread exploit concerning Java in mainstream media outlets. LIS is aware of this risk. The major systems used by the College that depend upon Java (e.g. Banner, Hyperion, Nolij, Famis) use an earlier version of Java and are not vulnerable to this exploit. This vulnerability impacts Java 7 update 6 and possibly other versions of Java 7; Java 6 and below are not vulnerable to this exploit.

Java is used for many different applications and you should be thoughtful about your actions before patching, upgrading or removing your version of Java. While Oracle has released a patch for the current vulnerability it has also opened up a new loophole to a known older vulnerability.

Our advice at this time is to NOT update or patch your Java client to version 7. If your Java client has already been updated or patched to version 7, please remove Java completely from your Mac or Windows computer, and then visithttp://java.com/en/download/manual_v6.jsp to reinstall version 6. If you are not sure what version of Java you are running you may visit this URL to verify,http://www.java.com/en/download/installed.jsp.

LIS continues to remain vigilant in safeguarding our critical systems. If you have questions or concerns regarding this post, please contact infosec@middlebury.edu.

5 Tips: How To Prevent Botnet Infection

Botnets are groups of hijacked private and corporate computers controlled remotely and which are used, among other things, to send spam, usually without the user's knowledge. Undetected, the installed malware often only runs in the background, making it more difficult for users to identify the risk and react accordingly. It is currently estimated that over 90% of all spam e-mails are distributed via botnets. The significant decline in spam on weekends indicates that in addition to private computers, many corporate computers are now affected as well. These tips will help you protect yourself:

1. E-mail with malware as an attachment

The infection takes place through malware known as Trojans created specifically for the purpose of infection. The "classic" infection pathway is through e-mail attachments. The user is led to believe that the attachment contains essential information or an important document, such as an invoice, a tax form, or a package delivery notification. Instead, it contains malware that is activated as soon as the user attempts to open the attachment. Unknown file attachments should therefore never be opened. The option "Hide extensions for known file types" should also be deselected in the system settings; doing so ensures the detection of a fake PDF file with the file extension pdf.exe.

2. Drive-by malware

A further infection pathway that has recently become more popular is drive-by malware. The malware is located on a manipulated website. When the site is opened in a web browser, the Trojan is installed on the user's computer (drive-by). The malware is commonly disseminated via spam e-mails that contain links to the infected websites. If the user clicks on the link, the malware is installed in the background. Particularly popular lures include Web 2.0 portals and social networks like Facebook, Twitter, or YouTube. A message that feigns an important message, messages from friends, or a newly uploaded video is sent to the user in the hope that he will click the enclosed link. Users should never click on links in e-mails unless they can be one hundred percent sure that the message is real.

3. Plug-in and application risks

Trojans often specifically attack current security vulnerabilities and take advantage of them. Standard Internet browsers and plug-ins, such as Adobe Flash Player or Acrobat Reader, are particularly popular. Outdated versions significantly increase the risk of such an attack. Users should make sure that these applications are always up to date and updates requested by the system are installed. eleven also recommends deactivating the Acrobat JavaScript setting.

4. Hazard: data storage devices

A further risk that can lead to botnet infection is the use of external data storage devices like USB sticks or SD cards. Because most people aren't able to recognize what is happening in the background during opening, the rule is: unknown data storage devices should always be checked by an up-to-date virus scanner before use. Users should also avoid using data storage devices that are not their own whenever possible. In addition, the Windows option to automatically always treat a certain type of device, such as a USB stick, the same way when inserted, should be deactivated.

5. The best of all possible worlds: reliable spam and virus protection

Despite all precautionary measures, when it comes to avoiding botnet infections, the most important element is reliable spam and virus protection. Users should check which spam and virus protection options are offered by their e-mail provider, e.g. their Internet provider or webmail service. A virus scanner should also be installed. Important: always keep the virus scanner up to date!

 

Report: Four Out Of Five Phishing Attacks Use Security Scams

Email scammers are increasingly using security as their chief weapon for fooling users into clicking on infected links and attachments. After an analysis looking at the most recent quarter of this year, Websense Security Labs has determined that four of the top five subject lines of phishing attempts by volume are security messages.

The top five phishing email subject lines are:

1. Your account has been accessed by a third party

2. (Bank Name) Internet Banking Customer Service Message

3. Security Measures

4. Verify your activity

5. Account security Notification

Phishing attacks are most likely to appear on Mondays or Fridays because attackers have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. They catch people when their guard is down, as they're looking forward to the weekend on Friday or taking their time getting back to work on Monday. Attackers often use phishing as a first step in more sophisticated attacks, and enterprises can expect many more spear-phishing campaigns in the future.

 

Apple Removes Default Java Support In Browsers

Apple removed its Java plug-in from Safari and other Web browsers. In Apple's Java for OS X 2012-006 1.0 release the Java applet plug-in gets automatically uninstalled from Web browsers. If users want Java applets to run via their browser, they have to download an applet directly from Oracle. Apple also upgraded its own Java version to the latest Oracle release, Java SE 6 1.6.0_37. The big problem with Java, of course, is that it wasn't built for security, and when you install an update, it doesn't overwrite the older versions.

It has been a big year for security moves by Apple. The activity picked up in earnest after the Flashback Trojan, which was seen as a wake-up call for Mac users who assumed they were immune to malware. Flashback amassed a botnet of some 600,000 Macs, most of which were based in the U.S. Apple added a feature to Safari that detects and disables outdated versions of the Adobe Flash plug-in.

It recently added a feature in the OS that turns off Java in the browser if it hasn't been used for some time, all amid increasing exploits and active attacks against the notoriously vulnerable Java. That left the door open for the attackers behind the Flashback botnet, which exploited the Java bug in Apple's software. According to Microsoft's latest Security Intelligence Report v13, Java exploits were the second most common exploit detected in the first half of this year, just behind HTML.

 

Multiple Remote Attacks in Steam Browser URIs


A report was released on Monday by a pair of respected researchers detailing multiple vulnerabilities in the Steam game URI handler, including potential remote code execution, the ability to write files to the victim host directly, etc. The researchers strongly suggest disabling this URI handler until a patch has been issued by Steam. While attacks have yet to be directly observed in the wild, the trivial nature of certain types of exploitation all but ensures that it will be abused soon. Network administrators should consider Snort SID 24397, which simply blocks all Steam URIs on a given network.
Reference:
http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf
Snort SID: 24397
ClamAV: N/A

  

Report: Four Out Of Five Phishing Attacks Use Security Scams

Email scammers are increasingly using security as their chief weapon for fooling users into clicking on infected links and attachments. After an analysis looking at the most recent quarter of this year, Websense Security Labs has determined that four of the top five subject lines of phishing attempts by volume are security messages.

The top five phishing email subject lines are:

1. Your account has been accessed by a third party

2. (Bank Name) Internet Banking Customer Service Message

3. Security Measures

4. Verify your activity

5. Account security Notification

Phishing attacks are most likely to appear on Mondays or Fridays because attackers have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. They catch people when their guard is down, as they're looking forward to the weekend on Friday or taking their time getting back to work on Monday. Attackers often use phishing as a first step in more sophisticated attacks, and enterprises can expect many more spear-phishing campaigns in the future.

 

 

Adobe Hacker Says He Used SQL Injection To Grab Database Of 150,000 User Accounts

 

Adobe today (Nov. 14th) confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The attacker who claimed responsibility for the attack used a SQL injection exploit in the breach.

 

Adobe's confirmation of the breach came in response to a Pastebin post yesterday by the self-proclaimed Egyptian hacker who goes by "ViruS_HimA." He says he hacked into an Adobe server and dumped a database of 150,000 emails and passwords of Adobe customers and partners; affected accounts include Adobe employees, U.S. military users including U.S. Air Force users, and users from Google, NASA, universities, and other companies.

 

The hacker exploited a SQL injection flaw to execute the attack. "It was an SQL Injection vulnerability -- somehow I was able to dump the database in less requests than normal people do," he says.

 

Users passwords for the Adobe Connect users site were stored and hashed with MD5, he says, which made them "easy to crack" with freely available tools. And Adobe wasn't using WAFs on the servers, he notes.

 

"Every day we see attacks targeting big companies using Exploits in Adobe, Microsoft, etc. So why don't such companies take the right security procedures to protect their customers and even themselves?"

 

The hacker leaked only some of the affected emails, including some from @ "adobe.com", "*.mil", and "*.gov," with a screen shot in his Pastebin post, where he first noted that his leak was because Adobe was slow to respond to vulnerability disclosures and fixes.

 

Adobe didn't provide details of how the breach occurred. Guillaume Privat, director of Adobe Connect, in a blog post this afternoon said Adobe took the Connectusers.com forum website offline last night and is working on getting passwords reset for the affected accounts, including contacting the users. Connect is Adobe's Web conferencing, presentation, online training, and desktop-sharing service. Only the user forum was affected.

 

This is the second public breach of the software firm this year. In October, Adobe revealed that an internal server with access to its digital certificate code-signing infrastructure was hacked by "sophisticated threat actors."