When a researcher at an ethical-hacking firm discovered mobile devices from Apple, Google, RIM and HTC had a flaw in them that would allow an attacker using malicious Web code to freeze them up and crash them, he contacted the companies last year.

Full story: Network World on Security

Attack code for a Windows vulnerability that Microsoft patched last week was released by a researcher one day after the company fixed the flaw.

Full story: Computerworld Security News

Lil Wayne’s Twitter account has been taken offline, after someone hacked into the popular rapper’s account this weekend and posted a series of joke messages.

A hacker, who seemingly guessed the singer’s password, sent a series of bizarre messages to Lil Wayne’s 1.2 million followers – including rude tweets to celebrity pals 50 Cent, Soulja Boy and The Game. According to AllHipHop.com, some of the language used was highly offensive.

Mind you, any fan of music like that is probably used to distasteful language.

Lil Wayne has now shut down his Twitter account, which went by the name @liltunechi. To be honest, he hasn’t had the best of times on Twitter – his page was previously hacked late last year, with fake news being posted about upcoming performances.

Clearly if he can’t keep control of his Twitter account, it’s better that it be disabled.

If nothing else, this case proves that just because a Twitter account is “verified” it doesn’t mean that it really is the celebrity (or an authorised representative) who is doing the tweeting.

Other celebrities who have had their Twitter accounts hacked in the past include Axl Rose, politican Ed Miliband, Britney Spears and plummy-voiced TV property crumpet Kirsty Allsopp.

Make sure that you always choose a non-dictionary word that’s hard to guess as your Twitter password, and never use the same password on multiple websites.

Also, be on your guard against phishing sites and ensure that your computer is running up-to-date anti-virus software to protect against keylogging spyware which may attempt to steal your information.

Finally, consider carefully which third-party applications and websites you allow to connect with your Twitter account.

Full story: Naked Security – Sophos

If you got here because you are a regular follower of the Norman Blogs, Norman Security Advisories or any of the Norman Social Networking Links, of course you are not to blame. It is sensible to stay educated.
If you got here otherwise as you are a sensationalist, boy-oh-boy… You are one easy target for scammers, spammers and people otherwise try to invade your system. Believe me! Anyway, here is the footage:

If you can’t view the footage that should automatically appear in the window frame above, please click on the link. The system will automatically forward you to the best option possible for your situation.

The people that try to take over your system will use any means of social engineering, to persuade you try actually get you to download their bad programs onto your system. Often they are challenging as they “contain” the solution for a game you have problems with, promises you to get rid of all system problem (by actually introducing a few), telling you the interesting footage of a naked celebrity can only be seen using the special codec that has remarkable functionality (if you can call spyware that way), unique information on recent events in the world history can only be seen using the special codec that has remarkable functionality (again if you can call spyware that way), etc.

How often did you fall for this? Aha…

And how often do you think your fellow humans have fallen for it? Indeed… Too many people…

That is why we these messages come to you shortly after new events hit the world theater of news. Be careful, be sensible. If footage it claims to be able to show is that intriguing and world-news, you can bet your local news on television will show that as well, without the risk of your system being taken over.

To protect yourself against these “opportunities” you will need proper protection. If you want to learn more about that, please click on the above picture. Since you are still reading I can tell you it leads to something harmless, educational and useful!
 

Full story: Norman’s security blog

WASHINGTON (AP) — It looked like an innocent e-mail Christmas card from the White House.
But the holiday greeting that surfaced just before…

Full story: Computer Crime Research News

You’re not a spammer, so when your friends start asking why you sent them that message about male enlargement or mail-order brides you know right away something is very wrong. Has your computer been recruited into a botnet? Did somebody hack your password? There are several possibilities, none of them truly pleasant.

First, the good news. The cause almost certainly isn’t an e-mail virus on your system. If a virus is involved, the victim is somebody else, someone whose address book includes you. But if there’s no virus involved, if malefactors hacked your account or simply guessed your password, you’ve got some serious cleanup work to do.

For details on what can happen, how you can identify the cause, and what steps to take for recovery see my article Was My E-mail Hacked?. And if your e-mail password is “password” or “123″ or your dog’s name, change it right now!

Full story: Security Watch

Reuters – Some versions of Microsoft Corp’s Windows operating system are vulnerable to attack from hackers exploiting a flaw in the software that could allow them to remotely take control of a personal computer.

Full story: Yahoo! News: Security News

Hacktivists have struck a blow against the regime in Zimbabwe by attacking a number of government websites. The cyber-assault appears to have been in support of newspapers who published secret cables in the ongoing WikiLeaks saga, to the annoyance of the-powers-that-be in the country.

Grace Mugabe, wife of Zimbabwe president Robert Mugabe, was recently reported to be suing a newspaper for $ 15 million after it published a WikiLeaks cable that claimed she has benefited from illegal diamond trading.

As news spread amongst the loosely-knit group of Anonymous hackers who support WikiLeaks, websites belonging to the Zimbabwe government and Robert Mugabe’s ZANU-PF party were hit by distributed denial-of-service (DDoS) attacks and, in the case of the Finance Ministry, defacements.

The Zimbabwe government’s online portal at www.gta.gov.zw and the official ZANU-PF website continue to be offline, and the Finance Ministry’s website now displays a message saying it is under maintenance.

A statement published on an Anonymous website offered an explanation for the attacks, which have been dubbed “Operation: Zimbabwe”:

We are targeting Mugabe and his regime in the ZanuPF who have outlawed the free press and threaten to sue anyone publishing wikileaks.

Although many people are deeply concerned about corruption in Zimbabwe, I am certain that internet attacks are not the answer.

It seems kind of ironic to me that the hackers – who are engaged in actions seemingly intended to be pro-WikiLeaks and which they say are in the name of free speech – are using denial-of-service attacks that by their very nature prevent others from communicating.

And don’t forget, participating in a DDoS attack is against the law in many countries.

Full story: Naked Security – Sophos

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

The recent Gawker media hack is probably related to a spate of malicious activity from 174.132.178.37, trying to log into forums, according to a couple of different reports on the web -  [1] [2] -  and my own experience of someone trying to get into a forum, presumably with Gawker harvested credentials. The purpose is unknown, but the person behind it may well be trying to use established – on Dynamoo’s Blog

Yet another BHSEO attack, and as always the cybercriminals are using the most popular terms, in this case Wikileaks related terms:

• Wikileaks
• Wikileaks killing video
• Wikileaks afghanistan
• Wikileaks video

This is what you get when you search some of these terms:

When clicking on any of these poisoned results, you get to a Youtube-like website:

There is no video there, but you will get a message to download some codecs to watch it, but you will be infecting the computer with a fake antivirus detected as Adware/MySecurityEngine.

– Luis Corrons on PandaLabs Blog

More information has come to light about the hacking attacks against Singapore Government and APEC officials at last year’s Lion City meetings of the Asia Pacific Economic Cooperation Forum (APEC). –
Ross O. Storey on Network World on Security

Malware Database — DDoS attacks are flying across the Internet like there is no tomorrow.  Just a few days ago, a hacktivist operating under the handle “th3j35t3r” decided to single-handedly take down the Wikileaks website with a DoS tool of his (or their) own creation.  He issued a statement on Twitter shortly after explaining that the attacks against the WikiLeaks website were made for “attempting to endanger the lives of our troops, ‘other assets’ & foreign relations.”   According to our statistics, his attacks resulted in 1 day 3 hours and 50 minutes of downtime for WikiLeaks before the site was completely yanked offline by Amazon and EveryDNS.

On the other side of the attack spectrum, the anonymous attackers involved in Operation:Payback have vowed to take a temporary break from their mega-assault on the entertainment industry in order to spend some time helping WikiLeaks.  Their first attack has been set on PayPal, after the U.S. based company closed its doors on WikiLeaks citing an AUP violoation.

PayPal issued the following statement on their blog:

“PayPal has permanently restricted the account used by WikiLeaks due to a violation of the PayPal Acceptable Use Policy, which states that our payment service cannot be used for any activities that encourage, promote, facilitate or instruct others to engage in illegal activity”

Shortly after the PayPal announcement, Anonymous decided that the PayPal Blog would be its first DDoS target in Wikileaks related counterattacks.

The following statements were released on an Anonymous Twitter account:

“TANGO DOWN — thepaypalblog.com — Blog of Paypal, company that has restricted Wikileaks’ access to funding. #Paypal #Wikileaks #WL #DDoS”

“Close your #Paypal accounts in light of the blatant misuse of power to partially disable #Wikileaks funding. Join in the #DDoS if you’d like”

According to our stats, ThePayPalBlog.com has been down as of 4AM PST on 12/4/2010 and shows no sign of coming back online anytime soon.

Anonymous organizers had this to say in regards to the temporary switch in focus,

“While we don’t have much of an affiliation with WikiLeaks, we fight for the same: we want transparency (in our case in copyright) and we counter censorship. The attempts to silence WikiLeaks are long strides closer to a world where we can not say what we think and not  express how we feel. We can not let this happen, that is why we will find out who is attacking WikiLeaks and with that find out who tries to  control our world. What we are going to do when we found them? Except for the usual DDoSing, word will be spread that whoever tries to silence or discourage WikiLeaks, favors world domination rather than freedom and democracy.”

Anti-Anti WikiLeaks

Update – 12/4/2010 – 10:50 AM PST:

After nearly 7 hours of constant attacks, the PayPal blog has either been deleted or permanently taken offline.  Accessing the blog this morning revealed the following 403/access forbidden error:

403 error on ThePayPalBlog.com

Update – 12/4/2010 – 1:24 PM PST:

ThePayPalBlog.com is no longer resolving to the 403 error page and is completely down again.

Update – 12/4/2010 – 2:50 PM PST:

PayPal has reduced its entire blog to a plain text statement regarding their decision to suspend WikiLeaks.

PayPal Blog Notice

Update – 12/5/2010 – 1:28 PM PST:

ThePayPalBlog.com is now back up after 75 service interruptions and 8 hours 15 minutes of total downtime.  This report doesn’t take into account the many hours that ThePayPalBlog.com resolved to a 403 error.

ThePayPalBlog.com

Update – 12/6/2010 – 3:06 AM PST

Official plans to support WikiLeaks have been announced.

Update – 12/6/2010 – 12:00 PM PST

Anonymous has launched its second attack on the main PayPal website.  Minutes after they announced the launch of the attack, their infrastructure started to take a hit.  Their website is now unavailable and presumably under counter DDoS attack.

The following poster has been circulating on the Internet:

Anonymous :: Paypal Attack Poster

Update – 12/6/2010 – 12:30 PM

They are now going after postfinance.ch, the bank that took down Julian Assange’s defense
fund.  We have recorded 5 minutes of downtime so far.

Update – 12/6/2010 – 1:52 PM

The attack on postfinance.ch is ongoing.  The site first went down at 12:33 PM PST and has been down for over one hour.

postfinance.ch downtime

Update – 12/6/2010 – 3:02 PM

The Anonymous website is currently under heavy DDoS attack.  We’ve observed just under 2 hours of downtime and 23 service interruptions since the pro-wikileaks attacks started this morning.

Anonymous Counterattack

Update – 12/6/2010 – 5:07 PM

The attack against PostFinance.ch is still underway.  We have observed 4 hours 41 minutes of continuous downtime since the attack started.

In addition to the DDoS attack, some Anonymous members are spamming PostFinance offices with the following image.

Update – 12/7/2010 – 12:03 AM

The attack against PostFinance.ch is still going strong with 11 hours 35 minutes of recorded downtime and counting.

This DDoS is one of the first successful attacks on a financial institution and is getting in the way of customers doing business with the company.  One user wrote on Twitter, ” #payback can you stop the DDoS on postfinance for 10 minutes so that I can bank please? pretty please?”

#payback can you stop the DDoS on postfinance for 10 minutes so that I can bank please? pretty please?

Update – 12/7/2010 – 9:30 AM

Anonymous attacked postfinance.ch well into last night, with 16 hours and 30 minutes of recorded downtime.  The chat room currently has over 900 people joining in on the attack, as well as over 500 computers involved in their voluntary DDoS botnet (LOIC HIVEMIND).

LOIC (Low Orbit Ion Canon) is a DDoS tool developed by the attackers to carry out their DDoS attacks.  The software allows users to insert a command and control address into the application, which will then automatically connect their computer to the “HIVEMIND” and immediately start attacking a predetermined target.

Here is what the software looks like:

Update – 12/7/2010 – 9:44 AM

The target has switched over to http://aklagare.se, the Swedish prosecutors.  The website was down instantaneously after the target was selected with over 500 computers in the voluntary botnet attacking the site all at once.

Update – 12/7/2010 – 10:16 AM

Over 1000 people have joined the chat to participate in the attacks against anything anti-WikiLeaks.

Update – 12/7/2010 – 2:10 PM

We have recorded 4 hours 26 minutes of downtime for Aklagare.se, since the attack started focusing on the site at 9:44AM PST

Update – 12/7/2010 – 3:06 PM

The target has been switched to EveryDNS.com, the DNS provider that took WikiLeaks down. The target was announced at 2:52 PM PST and the website was taken down just one minute later at 2:53 PM PST.  We have 10 minutes of recorded downtime and counting:

- lithium on Malware Database

Researchers at SophosLabs are analysing a new ransomware attack that appears to have hit computer users via a drive-by vulnerability on compromised websites.

Malicious hackers are spreading the ransomware, which encrypts media and Office files on victim’s computers, in an attempt to extort $ 120. In a nutshell – you can’t access your files because the malicious code has encrypted them (in our observations, the whole file isn’t encrypted – just the first 10% or so), and the hackers want you to pay the ransom if you want your valuable data back.

The attack, which Sophos detects as Troj/Ransom-U, changes your Windows desktop wallpaper to deliver the first part of the ransom message.

The main ransom demand is contained in a text file:

Attention!!!

All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

The HOW TO DECRYPT FILES.txt file gives an email address to contact if you wish to recover your data. In addition, there is a fingerprint hex-string in the file which changes between successive runs – the message says that victims must quote this string when making contact (presumably it is related to the actual key used for decryption).

Users have reported to us that they have received the attack via a malicious PDF which downloads and installs the ransomware. Sophos detects the PDF as Troj/PDFJS-ML.

Files with the following extensions can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx. The easiest way to identify files that have been meddled with is that their filenames will have been changed to include the suffix “.ENCODED”.

Of course, we don’t recommend paying money to ransomware extortionists. There’s nothing to say that they won’t simply raise their ransom demands even higher once they discover you are prepared to pay up.

Once again, users who make regular backups of their important data have good reason to pat themselves on the back.

There was an attack targeting various trending trending topics on Twitter today. I’ve been analyzing the campaign and have collected the following information:

(Malware and Maltego file available upon request.  Shoot me a message on Twitter.)

• 311 accounts were involved in the attack
• Many of these Twitter handles were harvested between May and July of last year (!), which leads me to believe that it originated from the same group of people from last year’s attack that took place around June. (http://pandalabs.pandasecurity.com/visualizing-the-twitter-trends-attack/)
• The bulk of the attack took place 8 hours ago.
• 11 shortened URLs
• Site contains asx file pointing to exploits
• Site attempts to exploit PDF vulnerabilities (object 17.0 contains SING table overflow CVE-2010-2883)
• Generic downloader Trojan

  Maltego view of the malicious tweets for one of the malicious URL’s

Twitter Trending Topic Attack

Here are the shortened URL’s used in the attack:

Warning: These URL’s point to malicious sites that contain live exploits.

hxxp://shortlinks.co.uk/2o10

hxxp://urlcut.com/1yoec

hxxp://doiop.com/li7h90

hxxp://tiny.cc/swkw4

hxxp://tiny.cc/isuny

hxxp://tinyurl.com/32eothq

hxxp://tiny.cc/v123p

hxxp://alturl.com/fb6cb

hxxp://doiop.com/c0ae2b

hxxp://bit.ly/hLJhq4

hxxp://yep.it/powmfk

Here is the traffic right after we click on a link in Twitter:

GET hxxp://shortlinks.co.uk/2o10

302 Found to hxxp://briceguilbert.com/about.html

GET hxxp://briceguilbert.com/about.html

304 Not Modified ()

GET hxxp://twitter.com/scribe?r=3915&log%5B%5D=%7B%22component%22%3A%22dashboard%22%2C%22trends%22%3A%5B%7B%22trend%22%3A%22%23Share%22%2C%22rank%22%3A0%2C%22promoted_content_id%22%3A83%7D%2C%7B%22trend%22%3A%22%232010disappointments%22%2C%22rank%22%3A1%7D%2C%7B%22trend%22%3A%22%23lilkimmustfeellike%22%2C%22rank%22%3A2%7D%2C%7B%22trend%22%3A%22%23frasesquemarcaron%22%2C%22rank%22%3A3%7D%2C%7B%22trend%22%3A%22Nominations%22%2C%22rank%22%3A4%7D%2C%7B%22trend%22%3A%22Hanukkah%22%2C%22rank%22%3A5%7D%2C%7B%22trend%22%3A%22Grinch%22%2C%22rank%22%3A6%7D%2C%7B%22trend%22%3A%22Kyrie%20Irving%22%2C%22rank%22%3A7%7D%2C%7B%22trend%22%3A%22World%20AIDS%22%2C%22rank%22%3A8%7D%2C%7B%22trend%22%3A%22Chabelo%22%2C%22rank%22%3A9%7D%5D%2C%22page%22%3A%22search%22%2C%22_category_%22%3A%22webclient%22%2C%22event_name%22%3A%22trend-impression%22%2C%22ts%22%3A1291267543912%7D&log%5B%5D=%7B%22component%22%3A%22dashboard%22%2C%22trends%22%3A%5B%7B%22trend%22%3A%22%23Share%22%2C%22rank%22%3A0%2C%22promoted_content_id%22%3A83%7D%2C%7B%22trend%22%3A%22%232010disappointments%22%2C%22rank%22%3A1%7D%2C%7B%22trend%22%3A%22%23lilkimmustfeellike%22%2C%22rank%22%3A2%7D%2C%7B%22trend%22%3A%22%23frasesquemarcaron%22%2C%22rank%22%3A3%7D%2C%7B%22trend%22%3A%22Nominations%22%2C%22rank%22%3A4%7D%2C%7B%22trend%22%3A%22Hanukkah%22%2C%22rank%22%3A5%7D%2C%7B%22trend%22%3A%22Grinch%22%2C%22rank%22%3A6%7D%2C%7B%22trend%22%3A%22Kyrie%20Irving%22%2C%22rank%22%3A7%7D%2C%7B%22trend%22%3A%22World%20AIDS%22%2C%22rank%22%3A8%7D%2C%7B%22trend%22%3A%22Chabelo%22%2C%22rank%22%3A9%7D%5D%2C%22page%22%3A%22search%22%2C%22_category_%22%3A%22webclient%22%2C%22event_name%22%3A%22trend-impression%22%2C%22ts%22%3A1291267572467%7D

200 OK (text/javascript)

GET hxxp://bestivideos.has.it/

200 OK (text/html)

GET hxxp://bestivideos.has.it/ad.html

304 Not Modified ()

GET hxxp://mybuger.info/flash/

304 Not Modified ()

GET hxxp://nht-2.extreme-dm.com/n2.g?login=todd&pid=kickad&jv=y&j=y&srw=1024&srb=16&l=hxxp%3A//bestivideos.has.it/

200 OK (image/gif)

GET hxxp://ljivore.info/folder/index.php?f85f8c52a26c60a4b4aed5232760bc83

200 OK (text/html)

GET hxxp://mybuger.info/flash/error.jpg

404 Not Found (text/html)

GET hxxp://ljivore.info/folder/images/43abbf45f97a3d649961cf9f6854c6a6.asx

200 OK (video/x-ms-asx)

GET hxxp://ljivore.info/folder/images/np/43abbf45f97a3d649961cf9f6854c6a6/f3a350ffbd6b32a3b3f0d29ebf395ab8.pdf

200 OK (application/pdf)

– lithium on Malware Database

Over the past few weeks, we have been seeing a whole mix of legitimate web sites serving up a specific malicious JavaScript. When innocent users browse these sites, the injected JavaScript adds an iframe element to the page in order to load further malicious content from a remote site.

As you can see, the injected scripts are polymorphic and heavily obfuscated, one of the common tricks used by hackers in an attempt to evade detection. Regardless of the obfuscation, Sophos products generically block the malicious scripts as Mal/JSIfrLd-A.

Looking at a number of the affected sites, it was quickly apparent that they shared a common link – they all seemed to be running WordPress. Ahah, the root cause? After all, WordPress injection attacks are pretty commonplace, and something all site admins should be aware of.

In typical WordPress injection attacks, the database ends up “peppered” with malicious HTML (typically an iframe or script element to load other remote content) such that the web pages users view when browsing the site contain that malicious code. In this latest attack however, things are a little more complex.

Firstly, one or more files containing malicious JavaScript are added to the site, within an existing folder using a .php filename, for example:

.../wp-content/plugins/wp-polls/tinymce/plugins/polls/langs/mm_menu.php
.../wp-includes/js/tinymce/plugins/media/AC_OETags.js.php
.../wp-content/uploads/2010/02/bigballs.php
.../games/IE7.php
.../wp-includes/js/tinymce/plugins/fullscreen/mod_jw_sir.php
.../es/wp-includes/js/tinymce/plugins/directionality/md5-min.php

Then a legitimate JavaScript file that is already used by the site is modified to include a call to the above file(s). For example, the hacked jQuery script found on one of the victim sites is shown below. You can see the malicious code that has been added to the beginning of the file, which will attempt to load five malicious scripts that have been added to the site.

So, is WordPress really the relevant link between the affected sites? Or is that just coincidence? Earlier today I queried all of the sites that we have seen hit in this attack over the past 7 days, identifying almost 600. When looking at the GeoIP data for these sites I found that 97% of them were hosted by the same provider! Couple this with the fact that several different WordPress versions are being used by the affected sites (including the latest version in some cases) and I think the finger of blame should perhaps be pointing somewhere other than WordPress.

Digging further, it would appear that the hosting provider in question is no stranger to site hacks, as official posts on their company blog testify. In such cases it is imperative that in addition to cleaning up affected sites, the target of the attack is identified (be it a vulnerable server, web application or otherwise). Only then can any vulnerabilities or insecurities be closed, to prevent future similar attacks.

As a footnote, whilst security may not be your top priority when choosing a hosting provider, it should be pretty high up the list. Assume that all servers, sites and web applications will be attacked. Assume that some of these attacks will succeed. What you want to know is how your provider will respond – from clean up to hardening against future attacks.

Yesterday morning, a DDoS attack temporarily disrupted traffic to Wikileaks hours ahead of the “Cablegate” release of leaked US documents. Wikileaks announced the outage on a Facebook update and Twitter post around 11:00am EST while simultaneously derogating the attack and insisting “El Pais, Le Monde, Speigel, Guardian & NYT will publish many US embassy cables tonight, even if WikiLeaks goes down”.

In the below graph, I show traffic to one of Wikileak’s primary hosting provider on November 28 through 100 ATLAS providers around the world. At approximately 10:05am EST, traffic abruptly jumps by 2-4 Gbps as the attack begins.

Shortly after the attack started, Wikileaks redirected DNS from its AS8473 Swedish hosting provider to use mirror sites hosted by a large cloud provider in Ireland (and later the US as well). While the DDOS attack generated an outpouring of blog posts, news articles and tweets, it appears to have had little impact on the Wikileaks “Cablegate” disbursement of documents.

Overall, at 2-4 Gbps the Wikileaks DDoS attack was modest in the relative scheme of recent attacks against large web sites. Though, TCP and application level attacks generally require far lower bps and pps rates to be effective (more discussion of recent DDoS trends is available here). Engineering mailing list discussion also suggests the hosting provider and upstreams decided to blackhole all Wikileaks traffic rather than transit the DDoS.

At the time of this writing, all Wikileaks domains are reachable from servers in the US, Europe and Asia. The New York Times and most other major media outlets also have since published extensive synopses of the leaked documents.

While the source of the attack is unknown, blogs and social networking sites have alternatively blamed governments and vigilante hacker groups. At least one twitter account with a history of past attacks (claimed responsibility. In earlier tweets, the Jester boasted of using low bandwidth application layer attacks instead of relying on large botnets (all of which is consistent with the data ATLAS observed for this Wikileaks attack).

Wikileaks also came under fire in 2008 with a 500 Mpbs DDoS attack shortly before the release of leaked Swiss bank documents.

 
- Craig
 

– Craig Labovitz on Security to the Core | Arbor Networks Security » 2010

PC World – Enterprise software provider SAP is stepping up its security stance as its once-isolated systems become increasingly connected to the Internet, posing new risks as hackers diversify their targets. – on Yahoo! News: Security News

The website of respected security intelligence company Secunia was redirected for over an hour on Thursday morning evening after a DNS hijack pointed visitors to a different website. –
John E Dunn on Network World on Security

Google and dozens of other companies have been recently attacked by a new malware program called “Aurora” which is able to compromise and steal data from vulnerable systems. This demo displays how McAfee Application Control, the industry leading Application Whitelisting solution, can completely prevent Aurora from having any impact to your systems.
Video Rating: 5 / 5

Speaker: Georg Wicherski The increasing amount of new malware each day does not only put anti-virus companies up to new limits handling these samples for detection by creating new signatures. But also for network security providers and administrators, getting information on how samples affect the networks they try to protect is an increasing problem. Dynamic analysis of malware by execution in sandboxes has been an approach that has been successfully applied in both of these problem scenarios, however classic sandbox approaches clearly suffer from severe scalability problems. Most of these rely on setting up a real target system such as the Windows XP operating system as a virtual machine with additional software that does logging of performed actions. While these are easy to develop and set up, they require a separate virtual machine instance for each malware sample to be analyzed and therefore do not scale up with today’s requirements in terms of malware growth. Anti-Virus vendors tried to circumvent performance issues for file analysis by developing custom emulators that can be deployed on a customer end-host for detection and do not require a whole operating system inside a virtual machine. These emulators however often are software interpreters for the x86 instruction set and run therefore into execution speed limitations on their own. Additionally, they suffer from detectability because they try to emulate every single Windows API but suffer from accuracy issues …
Video Rating: 0 / 5

Yesterday, the news wires were hot with the announcement of the engagement of Prince William to Kate Middleton. As ever with hot news stories, one thing is inevitable. It is just a matter of time before the story is picked up and used in blackhat search engine optimisation (SEO) attacks.

Searching for ‘kate middleton + william’ revealed a huge number of results, including several images on the first page of the results.

Unfortunately, some of these images are actually within malicious SEO pages, and clicking through to them results in an immediate redirect to a rogue web site, where the user is greeted with a warning message.

From here on, it is the usual fake anti-virus trickery, starting with the fake system scan.

The user is tricked into downloading and installing the fake anti-virus (which is using the filename inst.exe at the time of writing). Once installed, our old friend Security Tool runs a scan of the system.

Happily Sophos customers are pro-actively protected from this spate of attacks – the fake anti-virus malware is already detected (as Mal/FakeAV-EE).

For those looking to understand a little more about how SEO attacks are constructed, take a read through the paper we recently posted, or check out the following video that Chet created.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Source: Naked Security – Sophos

The point of many phishing scams is to gain access to bank or credit account information for financial gain. So, it makes sense to target users or accounts with the highest odds of containing substantial amounts of money. That explains a new phishing attack reported by AppRiver which takes aim at customers of Global Payments.

View full post on Network World on Security

AFP – A fake email invitation to this year’s Nobel Peace Prize ceremony is currently circulating and carrying with it a virus capable of infecting the computer of anyone who opens it, computer security experts warned.

View full post on Yahoo! News: Security News

PC World – A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google’s Android phones over the Internet.

View full post on Yahoo! News: Security News