Microsoft, Google, and Mozilla developers are addressing a flaw in SSL encryption that could allow an attacker to decrypt intercepted traffic.

Microsoft said that it would bring out a patch for the flaw in an advisory on Monday. The patch could be out-of-cycle or in-band, depending on the impact of the flaw on customers, the company said.

“Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system,” the company said. “This vulnerability affects the protocol itself and is not specific to the Windows operating system.”

The flaw, which has been known for a number of years, was successfully exploited by security researchers Juliano Rizzo and Thai Duong. Rizzo and Duong demonstrated a proof-of-concept (PoC) tool called ‘Browser Exploit Against SSL/TLS’ (Beast) at the Ekoparty security conference on 23 September. The Beast PoC allows a man-in-the-middle attack on a browser session. SSL is used by many websites to encrypt financial transactions. Continue reading →

Since the attacks of Sept. 11, 2001, the possibility of a second devastating attack by al-Qaida or a similar group has been on the minds of many Americans. There has been much discussion as to whether terrorist groups could get access to nuclear, biological or chemical weapons — weapons of mass destruction.

Should we be concerned about another potential threat — a cyber weapon of mass destruction?

Yes, say security experts. The cyber terrorist threat is real, and plots involving such attacks may already be in the works.

According to Damon Petraglia, a director with Chartstone, a computer, network and digital forensic resource company based in Connecticut, and a member of the electronic crimes task force for the U.S. Secret Service, cyber terrorist attacks have been taking place for more than a decade Continue reading →

Amid the current diplomatic impasse between Ankara and Jerusalem, Turkish hackers hijacked some 350 Israeli websites on Sunday evening, launching a Domain Name System (DNS) attack on dozens of other websites as well.

Israeli IT analysts said Tuesday the DNS hijacking is likely to be, in fact, a “test-run” ahead of a major attack on Israeli domains.

Visitors to some of the sites were diverted to a page declaring it was “World Hackers Day.”

At least seven high-profile websites outside Israel were also hijacked, including those of The Telegraph, Acer, National Geographic, UPS and Vodafone.

Hackers calling themselves the “TurkGuvenligi group” claimed they had done the cyber-attack. TurkGuvenligi translates as “Turkish security.” Continue reading →

Microsoft said Sunday that a digital certificate stolen from a Dutch company could not be used to force-feed customers malware through its Windows Update service.

The company’s assertion came after a massive theft of more than 500 SSL (secure socket layer) certificates, including several that could be used to impersonate Microsoft’s update services, was revealed by Dutch authorities and several other affected developers.

“Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers,” said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. “The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft.”
Continue reading →

The Department of Homeland Security is beginning to take Anonymous and other non-professional cyber-attackers more seriously as it issues a warning about potential attacks. The 2 September security bulletin from the DHS National Cyber-Security and Communications Integration Centre warned financial services companies to be on the lookout for attackers operating under the Anonymous umbrella to “solicit ideologically dissatisfied, sympathetic employees” to the cause.

The unclassified DHS communique is addressed broadly to those in charge of cybersecurity and critical infrastructure protection and also warns about new tools that Anonymous has said it plans to use in launching future attacks.

One of the attack tools highlighted in the alert is dubbed #RefRef, which is said to be capable of using a server’s resources and processing power to conduct a denial of service attack against itself.
Continue reading →

An attractive brunette in a business suit is making her online pitch. “Are you tired of searching for legit CVV shops?” her animated form asks from the corner of the website. “Search no more,” she promises. This site has “handpicked cards” with “high balances”. “What are you waiting for? Register now.”

It looks like a legitimate business website, one for small business financing perhaps. But I’m being shown this site — and asked not to identify it — by FBI special agent Keith Mularski in the offices of the National Cyber-Forensics & Training Alliance, a Pittsburgh-based alliance between international law enforcement agencies, business and academia that has been charged with tackling the growing menace of cybercrime. This is a site at the cutting edge of crime.

CVV stands for card verification value. This site, and its equally professional rivals, are selling stolen credit card information to criminals who snap them up like songs on iTunes. A dollar buys enough information to use someone else’s card online, $30 buys a “dump,” all the information you need to copy a card and set off on your own real-world shopping spree with somebody else’s plastic.

There are millions of stolen accounts available, hacked from banks and online sellers, or swiped at cash machines. The FBI recently reclaimed 1.5m numbers from one seller alone. You can sort by type, MasterCard, Visa, or American Express, by geography, or just stick to business cards for their higher balances. There’s no need to fear getting ripped off. Criminals peer-review each other’s sites. It’s eBay for crooks. Continue reading →

MRG Effitas will be conducting an assessment of anti-logging and browser security products on Monday.  The test will assess the security products ability to prevent our NEW simulator from capturing the user credentials entered in to a HTTPS banking site.

We will be including the following applications

1. Zemana AntiLogger

2. TrustWare BufferZone Pro

3. SentryBay Data Protection Suite

4. SoftSphere DefenseWall

5. QFX Software KeyScrambler Personal

6. Neo’s SafeKeys

7. Prevx

8. Quaresso Protect On Q

9. Trusteer Rapport

In total, we will test twelve applications so are requesting users or vendors contact us suggesting other applications which could be included.

We will consider any dedicated anti-logging application which purports to provide protection against key logging / capture of data from within Internet Explorer.

We will include the three application which are suggested the greatest number of times.

MRG has been conducting flash tests for nearly two years now. The purpose of the tests was to give a basic indication of a products performance against zero day threats over a period of time.

Whilst the tests used only a single sample each time, we attempted to ensure their validity by using samples which were found on active URLs and by using IE as an infection vector. Each sample used is a single snapshot of a pool of some hundreds of variants of that specific malware type.

The flash tests have become quite popular among users and some vendors, so in an effort to increase their relevance, we increased the number of samples used from one to four. As of the 29^th of August, we will be introducing significant changes to the tests to further increase their validity.

The new flash tests will be run as two separate tests. We will continue with the dynamic tests, using samples from live URLs with IE as the infection vector, however, these will now be run once each week with eight samples per test.

To help give greater statistical relevance, we will include a static component to the flash tests. Twice each month, we will test using 100,000 malicious samples which are less than 72 hours old. Whilst static testing does not always assess efficacy as accurately as dynamic, it remains a convenient way to get a loose indication of performance against a large number of samples.

We will continue to run the dynamic tests using the existing cohort of security applications, however, vendors who are not existing clients will need to contact us to ask for their product to be included in the bi-monthly static tests.

We welcome input / feedback from users and vendors concerning the new flash tests. Please feel free to contact us with your comments.

Two men who posted messages on Facebook inciting other people to riot in their home towns during the recent English outbreaks of violence have each been sentenced to four years in prison by a judge at Chester Crown Court.

Jordan Blackshaw, 20, set up an “event” called Smash Down in Northwich Town for the night of August 8 on the social networking site but no one apart from the police, who were monitoring the page, turned up at the prearranged meeting point outside a McDonald’s restaurant. Blackshaw was promptly arrested.

Perry Sutcliffe-Keenan, 22, of Latchford, Warrington, used his Facebook account in the early hours of August 9 to design a web page entitled The Warrington Riots.

The court was told it caused a wave of panic in the town. When he woke up the following morning with a hangover, he removed the page and apologised, saying it had been a joke. His message was distributed to 400 Facebook contacts, but no rioting broke out as a result.

Sentencing Blackshaw to four years in a young offenders’ institution, Judge Elgan Edwards, QC, said he had committed an “evil act”. Continue reading →

More than 100 security professionals next month will compete in a two-day cybersecurity competition that simulates real-world attackers and attacks.

The SANS NetWars contest — part of the U.S. Cyber Challenge program — will be held as part of the SANS Network Security 2011 conference at Caesars Palace in Las Vegas. The contest is for both new and seasoned hackers.

Capture-the-flag (CTF) type hacking contests are nothing new in cybersecurity. What makes NetWars different than say, DefCon’s CTF, is that it’s aimed at all levels of hacking skills and all competitors have to begin at level one of the contest, says Ed Skoudis, director of NetWars for SANS. The more advanced players can then quickly advance to higher levels — up to level four, then five, where the participant gets access to a system at the root level, he says. “Level five is for people who really know their stuff. There’s castle-on-castle combat,” Skoudis says.

“DefCon is a big-team CTF focused on binary analysis and exploit development. That’s cool and a fantastic skill,” Skoudis says. “That’s not what NetWars is focused on. Ours includes this, too, but it’s multilevel and multidisciplinary.” Continue reading →