Ἀρχεῖο "Ἰανουαρίου 2011"
Hackers sell access to military and government academic websites
Dozens of military, government and education websites have been hacked and are up for sale, according to researchers from Imperva’s Hacker Intelligence Initiative (HII). The firm’s HII – hacker intelligence initiative – has unearthed evidence that dozens of sites are up for sale, including defence and state sites in the US and Europe.
According to a team led by Noa Bar Yosef, Imperva’s senior security strategist, high-profile sites such as the official Italian government website (http://itcgcesaro.gov.it), the Department of Defense Pharmacoeconomic centre (http://pec.ha.osd.mil/) and even the US Army, Communications-Electronics Command (CECOM) (http://cecom.army.mil ) are available.
In a security blog posting, Rob Rachwald of Imperva says that the hacker has put up a range of sites for anything between $55 and $499.
Imperva’s research team also claims to have discovered that the hacker was also offering personal information from the hacked websites at $20 per 1000 records.
“The hacker is also selling info personally identifiable information from hacked sites, for $20 per 1K records”, says the blog, citing an example of “a list of UConn staff”.
Imperva’s post is complete with screenshots, which the hacker claims as a proof of access.
According to Rachwald, the victim sites’ vulnerabilities were probably obtained by an SQL injection vulnerability automatic scanner and exploited in automated manner, as the hacker published his methods in a post in some hacker forum.
“In the screen shot [here] we can see IRC chat between the SQLi “master” = @evil which issues the scanning commands and the exploiting “x0owner” which performs the commands”, says the Imperva blog.
“In this specific case @evil issues command for to x0wner to obtain DB tables names (!tbls) from vulnerable link (www.site.gr/athlete.php?id=…) x0wner reports its findings – the tables ‘activities’,'admin’,” the blog notes.
Security researcher Brian Krebs picked up Imperva’s research over the weekend, detailing a lot of the site information that Rachwald chose to block out in his blog.
In his security blog, Krebs said that he finds it ironic that one of these sites allegedly for sale is the Department of Defense Pharmacoeconomic Center, which is a DoD site tasked with ‘improving the clinical, economic, and humanistic outcomes of drug therapy in support of the military health system’.
“In all likelihood, if access to this site is purchased, it will be by someone looking to plant links to rogue online pharmacies of the sort frequently advertised in junk e-mail”, said Krebs.
“People who get paid to promote these rogue pharmacies typically do so by hacking legitimate websites and including links back to fly-by-night pharma sites, and they particularly like dot-mil, dot-gov and dot-edu sites because search engines tend to treat links coming from those domains with more authority than random .com sites”, he added.
Krebs also noted that the ‘Undetected Private Java Driveby Exploit’ that the hacker is selling is “none other than the social engineering trick I blogged about last week.”
Microsoft releases free secure development tool
Microsoft on Monday announced the free availability of a new software verification tool designed for coders, as well as IT professionals.
Announced at this week’s Black Hat conference in Washington, D.C., the tool, called Attack Surface Analyzer, helps determine when poorly designed applications widen the attack surface of a Windows system.
The tool is used to “highlight the changes in system state, run-time parameters and securable objects on the Windows operating system,” according to a Security Development Lifecycle blog post. It identifies altered or new files, registry keys, services, ActiveX controls, listening ports, access control lists and other components that could increase an attack surface.
“The tool takes snapshots of an organization’s system and compares these to identify changes,” the post said, citing a product description. “[It] does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.”
The tool also produces a report detailing the changes that a particular application may have made to a system.
The Attack Surface Analyzer can be downloaded here.
Source: http://www.scmagazineus.com/microsoft-releases-free-secure-development-tool/article/194470/
