Entries Tagged "web"

Page 11 of 14

Criminals Hijack Large Web Hosting Firm

Nasty attack.

IPOWER declined a phone interview for this story. But the company acknowledged in an e-mail that “over the past three months our servers were targeted. We take this situation very seriously and a diligent cleanup effort has been underway for many months already. We saw the StopBadware report on the day it came out and went to download the list to sweep it as quickly as possible. By looking at the list, it was evident that our cleanup efforts were already helping significantly. By the time we downloaded the list, there were already over a few thousand accounts less than what they claimed in their report.”

IPOWER said the site hacks “came from a compromised server hosted by another company that was listed on the Stopbadware.org Web site. This impacted a higher percentage of accounts on each of these legacy third-party control panel systems.”

The company claims to have more than 700,000 customers. If we assume for the moment the small segment of IPOWER servers Security Fix analyzed is fairly representative of a larger trend, IPOWER may well be home to nearly a quarter-million malicious Web sites.

And an interesting point:

An Internet service provider or Web host can take action within 48 hours if it receives a “takedown notice,” under the Digital Millennium Copyright Act. The law protects network owners from copyright infringement liability, provided they take steps to promptly remove the infringing content. Yet ISPs and Web hosts often leave sites undisturbed for months that cooperate in stealing financial data and consumer identities.

There is no “notice and takedown” law specifically requiring ISPs and Web hosts to police their networks for sites that may serve malicious software.

Posted on May 25, 2007 at 7:13 AMView Comments

JavaScript Hijacking

Interesting paper on JavaScript Hijacking: a new type of eavesdropping attack against Ajax-style Web applications. I’m pretty sure it’s the first type of attack that specifically targets Ajax code. The attack is possible because Web browsers don’t protect JavaScript the same way they protect HTML; if a Web application transfers confidential data using messages written in JavaScript, in some cases the messages can be read by an attacker.

The authors show that many popular Ajax programming frameworks do nothing to prevent JavaScript hijacking. Some actually require a programmer to create a vulnerable server in order to function.

Like so many of these sorts of vulnerabilities, preventing the class of attacks is easy. In many cases, it requires just a few additional lines of code. And like so many software security problems, programmers need to understand the security implications of their work so that they can mitigate the risks they face. But my guess is that JavaScript hijacking won’t be solved so easily, because programmers don’t understand the security implications of their work and won’t prevent the attacks.

Posted on April 2, 2007 at 3:45 PMView Comments

Drive-By Pharming

Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson have developed a clever, and potentially devastating, attack against home routers.

First, the attacker creates a web page containing a simple piece of malicious JavaScript code. When the page is viewed, the code makes a login attempt into the user’s home broadband router, and then attempts to change its DNS server settings to point to an attacker-controlled DNS server. Once the user’s machine receives the updated DNS settings from the router (after the machine is rebooted) future DNS requests are made to and resolved by the attacker’s DNS server.

And then the attacker basically owns the victim’s web connection.

The main condition for the attack to be successful is that the attacker can guess the router password. This is surprisingly easy, since home routers come with a default password that is uniform and often never changed.

They’ve written proof of concept code that can successfully carry out the steps of the attack on Linksys, D-Link, and NETGEAR home routers. If users change their home broadband router passwords to something difficult to guess, they are safe from this attack.

Additional details (as well as a nifty flash animation illustrating it) can be found here. There’s also a paper on the attack. And there’s a Slashdot thread.

Cisco says that 77 of its routers are vulnerable.

Note that the attack does not require the user to download any malicious software; simply viewing a web page with the malicious JavaScript code is enough.

Posted on February 22, 2007 at 12:40 PMView Comments

Huge Online Bank Heist

Wow:

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona—up to £580,000—in what security company McAfee is describing as the “biggest ever” online bank heist.

Over the last 15 months, Nordea customers have been targeted by emails containing a tailormade Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved.

This is my favorite line:

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea security procedures.

Um…hello? Are you an idiot, or what?

Posted on January 23, 2007 at 12:54 PMView Comments

Hacking Reputation in MySpace and Facebook

I’ll be the first to admit it: I know next to nothing about MySpace or Facebook. I do know that they’re social networking sites, and that—at least to some extent—your reputation is based on who are your “friends” and what they say about you.

Which means that this follows, like day follows night. “Fake Your Space” is a site where you can hire fake friends to leave their pictures and personalized comments on your page. Now you can pretend that you’re more popular than you actually are:

FakeYourSpace is an exciting new service that enables normal everyday people like me and you to have Hot friends on popular social networking sites such as MySpace and FaceBook. Not only will you be able to see these Gorgeous friends on your friends list, but FakeYourSpace enables you to create customized messages and comments for our Models to leave you on your comment wall. FakeYourSpace makes it easy for any regular person to make it seem like they have a Model for a friend. It doesn’t stop there however. Maybe you want to appear as if you have a Model for a lover. FakeYourSpace can make this happen!

What’s next? Services that verify friends on your friends’ MySpace pages? Services that block friend verification services? Where will this all end up?

Posted on December 7, 2006 at 7:29 AMView Comments

Hacker-Controlled Computers Hiding Better

If you have control of a network of computers—by infecting them with some sort of malware—the hard part is controlling that network. Traditionally, these computers (called zombies) are controlled via IRC. But IRC can be detected and blocked, so the hackers have adapted:

Instead of connecting to an IRC server, newly compromised PCs connect to one or more Web sites to check in with the hackers and get their commands. These Web sites are typically hosted on hacked servers or computers that have been online for a long time. Attackers upload the instructions for download by their bots.

As a result, protection mechanisms, such as blocking IRC traffic, will fail. This could mean that zombies, which so far have mostly been broadband-connected home computers, will be created using systems on business networks.

The trick here is to not let the computer’s legitimate owner know that someone else is controlling it. It’s an arms race between attacker and defender.

Posted on October 25, 2006 at 12:14 PMView Comments

Torpark

Torpark is a free anonymous web browser. It sounds good:

A group of computer hackers and human rights workers have launched a specially-crafted version of Firefox that claims to give users complete anonymity when they surf the Web.

Dubbed “Torpark” and based on a portable version of Firefox 1.5.0.7, the browser will run from a USB drive, so it leaves no installation tracks on the PC. It protects the user’s privacy by encrypting all in- and outbound data, and also anonymizes the connection by passing all data through the TOR network, which masks the true IP address of the machine.

From the website:

Torpark is a program which allows you to surf the internet anonymously. Download Torpark and put it on a USB Flash keychain. Plug it into any internet terminal whether at home, school, work, or in public. Torpark will launch a Tor circuit connection, which creates an encrypted tunnel from your computer indirectly to a Tor exit computer, allowing you to surf the internet anonymously.

More details here.

Posted on September 28, 2006 at 6:51 AMView Comments

New Anonymous Browser

According to Computerworld and InfoWorld, there’s a new Web browser specifically designed not to retain information.

Browzar automatically deletes Internet caches, histories, cookies and auto-complete forms. Auto-complete is the feature that anticipates the search term or Web address a user might enter by relying on information previously entered into the browser.

I know nothing else about this. If you want, download it here.

EDITED TO ADD (9/1): This browser seems to be both fake and full of adware.

Posted on September 1, 2006 at 8:23 AMView Comments

1 9 10 11 12 13 14

Sidebar photo of Bruce Schneier by Joe MacInnis.