As Dan Kaminsky recently demonstrated at the Black Hat conference in Las Vegas, the DNS security flaw presents a serious vulnerability.  In case there was previously any doubt, he showed just how dangerous to internal networks and the internet at large it is to run un-patched DNS servers.  Even with the patch, the exploit is still possible, just extremely difficult.

The vulnerabilities are not limited to the web, but affect every type of internet service and traffic, including IM, telnet, email, and usenet.  Every protocol uses DNS servers to locate and communicate with between servers and client computers.  Even HTTPS (web sites using SSL - Secure Sockets Layer) would be affected because the Certificate Authorities who authenticate the certificates rely on DNS.  Note that all major CAs have patched their DNS servers, but of course many sites use self-signed certificates.

Some services have already fallen prey to this exploit, with AT&T being the first publicized victim.  Actually, the victims were the people whose requests were directed to a bogus Google search site because of an un-patched AT&T DNS server.  Fortunately, the bogus site only hosted code to auto-click the adsense advertisements, creating extra revenue for the perpetrators.  It could have been worse, if for example the site had been created to infect visitors with drive-by infections or inducements to download crimeware.

The picture is not completely bleak.  Thanks in part to Kaminsky’s presentation, more organizations are taking the threat seriously and patching their servers.  Also, any SSH-based connections which had been made at least once prior to the exploit would warn users if new connection attempts were made to bogus sites, because of the way SSH keeps digital fingerprints of remote hosts.  So Secure Shell, sftp, scp, and SSH-based VPNs would at least warn users about the change in fingerprints, or deny the connection altogether, depending on the local configuration.

For anyone wishing to know whether or not the DNS server he or she is using has been patched, Dan has published an online DNS checker on his blog at http://www.doxpara.com/.

Author: Christopher

(2 votes, average: 5 out of 5)

 Loading ...

Symantec’s Monthly State of Spam report for March showed an increase in bounced messages that found spammers forging sent email addresses and using them in the “From” header of their own Spam messages.

Reminiscent of Backscatter, spammers are taking advantage of mail transfer agents configured to send back a list of failed email recipient addresses, an explanation of the cause of failure, and a copy of the original email. This opens a window for Spam attacks, as anti-spam filters do not block most “failed email” replies. Since spammers forge the sender’s address, this mail is going to be received by people who have nothing to do with the Spam.

Corporate networks will feel the greatest burden of the increased attacks. Using increased bandwidth and an increase of unwanted Spam messages in users’ inboxes will result in lost productivity. Networks are encouraged to configure mail transfer agents to not send back a copy of the original failed messages and require signatures for outgoing emails.

Author: Christopher

(No Ratings Yet)

 Loading ...

Almost 300,000 web sites hosted with Internet Information Services are infected with a new malicious malware according to PandaLabs. By injecting SQL code in all pages hosted on the same IIS server, this vulnerability allows hackers to inject SQL code and redirect the visitor to a malicious site. The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the information found on the scan.

If your site is hosted with Internet Information Services it is highly recommended you check to see if your site is compromised. To check if your site is compromised, search your source code for the following IFRAME reference: “<script src=http://www.nihaorr1.com/1.js>”. If this IFRAME reference is found, remove them immediately and notify your IIS admin right away.

Author: Christopher

(No Ratings Yet)

 Loading ...

Lifeblood - Memphis, TN
Over 320,000 blood donor records missing and assumed stolen.

Tenet Healthcare Corporation - Dallas, TX
An ex-employee was confirmed to have stolen 37,000 records with patient names and personal information.

Long Island University - Brookville, NY
30,000 tax records are considered compromised because of defective mailers with missing adhesive on one side.

Source: Privacy Rights Clearinghouse

Author: Christopher

(No Ratings Yet)

 Loading ...

HP Australia has warned that optional USB keys shipped with some of its Proliant servers are infected with malware, bringing attention to the growing use of USB drives as a means to distribute viral infections.

The low risk worms, Fakerecy and SillyFDC, were found in a batch of 256MB and 1GB USB keys that shipped with the servers. It is undetermined how many infected keys, used for installing optional floppy-disc drives to servers, were distributed. An infected machine in the manufacturing factory is the likely cause of the incident.

The malware distributed is not considered an enormous threat, due in part to the low number of estimated users still utilizing floppy disk drives for data storage and that most hackers don’t find the virus valuable.

This is not the first incident of infection to come out of the factory; others have involved digital photo frames and similar products. Anti-virus software, if up to date, should detect both of the viruses involved in the Proliant USB attack as long the computer security software was installed after the floppy disk was added. Disabling autorun thwarts both Fakerecy and SillyFDC and may be the better option.

HP’s advisory, via local security clearing house AUSCert, can be found here. The SANS Institutes’s Internet Storm Centre has advice on avoiding USB malware-related peril here.

Author: Christopher

(No Ratings Yet)

 Loading ...

1,800 attacks were registered throughout the United States throughout the last month, almost 20% higher than the previous month.  Foreign based attacks showed a decline of 4.5% resulting in over 2,800 attacks originating from a Foreign IP space.

Top 5 attacks used by U.S. hackers

• Cisco IOS HTTP Server HTML auto-view exploit
• Hacktool FxScanner detection
• PerlCal CGI reconnaissance directory traversal
• PHPNuke reconnaissance directory traversal
• Cisco IOS denial of service attack using non-standard protocol

Top 5 attacks used by foreign  hackers

• Generic File Inclusion Attack
• Mambo register_globals Emulation Layer Overwrite
• HTTP overflow attack
• phpBB Activity Module File Inclusion
• WebDAV Overflow Attempt

Author: Christopher

(No Ratings Yet)

 Loading ...