Almost 300,000 web sites hosted with Internet Information Services are infected with a new malicious malware according to PandaLabs. By injecting SQL code in all pages hosted on the same IIS server, this vulnerability allows hackers to inject SQL code and redirect the visitor to a malicious site. The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the information found on the scan.

If your site is hosted with Internet Information Services it is highly recommended you check to see if your site is compromised. To check if your site is compromised, search your source code for the following IFRAME reference: “<script src=http://www.nihaorr1.com/1.js>”. If this IFRAME reference is found, remove them immediately and notify your IIS admin right away.

Tags: hack, hackers, IIS, Information Security, Malware, Vulnerability, website defacement

Author: Christopher

Lifeblood – Memphis, TN
Over 320,000 blood donor records missing and assumed stolen.

Tenet Healthcare Corporation – Dallas, TX
An ex-employee was confirmed to have stolen 37,000 records with patient names and personal information.

Long Island University – Brookville, NY
30,000 tax records are considered compromised because of defective mailers with missing adhesive on one side.

Source: Privacy Rights Clearinghouse

Tags: Data Loss, Data Theft, Identity Theft, Information Security, Security Breach, Security Incident

Author: Christopher

HP Australia has warned that optional USB keys shipped with some of its Proliant servers are infected with malware, bringing attention to the growing use of USB drives as a means to distribute viral infections.

The low risk worms, Fakerecy and SillyFDC, were found in a batch of 256MB and 1GB USB keys that shipped with the servers. It is undetermined how many infected keys, used for installing optional floppy-disc drives to servers, were distributed. An infected machine in the manufacturing factory is the likely cause of the incident.

The malware distributed is not considered an enormous threat, due in part to the low number of estimated users still utilizing floppy disk drives for data storage and that most hackers don’t find the virus valuable.

This is not the first incident of infection to come out of the factory; others have involved digital photo frames and similar products. Anti-virus software, if up to date, should detect both of the viruses involved in the Proliant USB attack as long the computer security software was installed after the floppy disk was added. Disabling autorun thwarts both Fakerecy and SillyFDC and may be the better option.

HP’s advisory, via local security clearing house AUSCert, can be found here. The SANS Institutes’s Internet Storm Centre has advice on avoiding USB malware-related peril here.

Tags: HP, In the wild, infected, Information Security, Malware, USB, worm

Author: Christopher

1,800 attacks were registered throughout the United States throughout the last month, almost 20% higher than the previous month.  Foreign based attacks showed a decline of 4.5% resulting in over 2,800 attacks originating from a Foreign IP space.

Top 5 attacks used by U.S. hackers

• Cisco IOS HTTP Server HTML auto-view exploit
• Hacktool FxScanner detection
• PerlCal CGI reconnaissance directory traversal
• PHPNuke reconnaissance directory traversal
• Cisco IOS denial of service attack using non-standard protocol

Top 5 attacks used by foreign  hackers

• Generic File Inclusion Attack
• Mambo register_globals Emulation Layer Overwrite
• HTTP overflow attack
• phpBB Activity Module File Inclusion
• WebDAV Overflow Attempt

Tags: CyberCrime, Information Security

Author: Christopher

In a white paper released last November by RSA, research from ordinary person-on-the street interviews with random office workers revealed troubling trends for those concerned with information security.  Sometimes in an honest effort to finish their work from home or while traveling, sometimes through simple carelessness, but in either case without intending to put secure information at risk, employees from all sectors of the workplace admitted to behaviors which do, in fact, put secure information at risk.

In interviews conducted in Boston and Washington, D.C., employees from both the public and the private sector answered “frequently,” “sometimes,” or “never” to questions probing their own customary behavior and also to questions asking what they had observed in their workplace.  Employers with international networks full of proprietary and confidential private information, including social security numbers and other personally identifying information, were reported by nearly 20% of private enterprise employees as routinely leaving networks set up for conference room and guest use open and available, without a password, to anyone who might walk in.

Employees themselves, with their own logins and passwords, accessed their work-network at home, in airports, in hotel and restaurant hot-spots, and even, at times, on public access hotel or internet cafe-type computer terminals.  In fact, the number of workers who retrieved their work e-mail from a public access computer was slightly higher than the number who used their own laptop but at a public wireless hotspot.  Both numbers, however, were over 50%.  Since well over 80% of workers reported that they “frequently” or “sometimes” conduct business over some kind of network away from their workplace, one can conclude that perhaps 30% of employees access work from a home computer, either by modem high speed internet connection.

More knowledge of security protocols will not solve the problem, according to RSA.  Almost all employees confirm that they have been trained in their employer’s security policies and that they are familiar with those policies.  Nevertheless, they hold doors to secure areas open for persons they don’t recognize, they notice people they don’t know working in empty offices without comment, and they find themselves with access to parts of the network they know they have no need to see.

Perhaps most troubling, a full third of all employees surveyed answered “yes” to the question, “Do you ever feel that you need to work around your company’s established security policies and procedures just to get your job done.”

RSA concluded its report, provocatively titled “The Confessions Report,” with a summary of its findings and a set of “Recommendations for Managing Information Risk.”  The recommendations call for a “holistic, information-centric security strategy [that] takes people, processes and technology into account and has a feedback mechanism.”  Clearly, an alert has been sounded.

Tags: employees, Information Security

Author: Christopher

While Finjan was researching a server hosting a new version of NeoSploit crimeware toolkit, a database of over 8,000 ftp accounts was uncovered. 10% of Alexa’s top 100 domains login username & password are in the database. A majority of the accounts originate in the United States.

Also uncovered was a trading application that rates the quality of the compromised accounts according to location of the ftp server. This allows hackers to put a price on the stolen accounts.

These login credentials were stolen by appending an HTML iframe tag onto the victims website. This type of attack we are finding almost every day during our own research. Finjan identified government websites hosting similar malicious code on their websites. An example they talked about was a website belonging to a State Superior court.

Finjan is offering to identify if your website appears in this database by filling out this form.

Tags: CyberCrime, Information Security, Malware, Web Defacement, Web Vulnerability

Author: Christopher