Kidz Rage !

A very interesting take on a new form of political hacking using DOS attacks…very interesting!

via Trend Micro

I found this interesting article on the BBC site & thought it was noteworthy and very good to know:

One in 10 web pages scrutinized by search giant Google contained malicious code that could infect a user’s PC.

Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to “in-depth analysis”.

About 450,000 were capable of launching so-called “drive-by downloads”, sites that install malicious code, such as spyware, without a user’s knowledge.

A further 700,000 pages were thought to contain code that could compromise a user’s computer, the team report.

To address the problem, the researchers say the company has “started an effort to identify all web pages on the internet that could be malicious”.

Phantom sites

Drive-by downloads are an increasingly common way to infect a computer or steal sensitive information.

They usually consist of malicious programs that automatically install when a potential victim visits a booby-trapped website.

“To entice users to install malware, adversaries employ social engineering,” wrote Google researcher Niels Provos and his colleagues in a paper titled The Ghost In The Browser.

Finding all the web-based infection vectors is a significant challenge and requires almost complete knowledge of the web
Google researchers
Hi-tech crime

Avoiding attacks

“The user is presented with links that promise access to ‘interesting’ pages with explicit pornographic content, copyrighted software or media. A common example are sites that display thumbnails to adult videos.”

The vast majority exploit vulnerabilities in Microsoft’s Internet Explorer browser to install themselves.

Some downloads, such as those that alter bookmarks, install unwanted toolbars or change the start page of a browser, are an annoyance. But increasingly, criminals are using drive-bys to install keyloggers that steal login and password information.

Other pieces of malicious code hijack a computer turning it into a “bot”, a remotely controlled PC.

Drive-by downloads represent a shift away from traditional methods of infecting a computer, such as spam and email attachments.

Attack plan

As well as characterizing the scale of the problem on the net, the Google study analyzed the main methods by which criminals inject malicious code on to innocent web pages.

Spam email
Spam e-mails are a common way to infect a computer

It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets.

Widgets are small programs that may, for example, display a calendar on a web page or a web traffic counter. These are often downloaded from third-party sites.

The rise of web 2.0 and user-generated content gave criminals other channels, or vectors, of attack, it found.

For example, postings in blogs and forums that contain links to images or other content could unwittingly infect a user.

The study also found that gangs were able to hijack web servers, effectively taking over and infecting all of the web pages hosted on the computer.

In a test, the researchers’ computer was infected with 50 different pieces of malware by visiting a web page hosted on a hijacked server.

The firm is now in the process of mapping the malware threat.

Google, part of the StopBadware coalition, already warns users if they are about to visit a potentially harmful website, displaying a message that reads “this site may harm your computer” next to the search results.

“Marking pages with a label allows users to avoid exposure to such sites and results in fewer users being infected,” the researchers wrote.

However, the task will not be easy, they say.

“Finding all the web-based infection vectors is a significant challenge and requires almost complete knowledge of the web as a whole,” they wrote.

via BBC News

For 18 tense months, a computer-savvy grifter named David Thomas runs a thriving online crime hub for bank heists, identity theft and counterfeiting, with the FBI paying the bills.

Check out the full story here.
via (wired.com)

I found this interesting blog post on The Successes and Failures of the Security Industry on Computer Defense blog

The post covers 15 statements about security:

1) Today feels a lot like yesterday
2) The role of a Security Professional
3) There are too many so-called “Security Professionals”!
4) Security Breeds Apathy.
5) Security can be overwhelming
6) People are afraid of what they don’t understand.
7) Security is not seamless.
End users are ignorant
9) Not all security is right for you.
10) The World is a War Zone
11) It is no longer about the Chase, it is about the Money!
12) Attacks are Polymorphic.
13) Vendors and Security don’t match.
14) The industry is immature
15) 2+2=1

via ( Computer Defense )

How easy is it to digitally clone an electronic passport?

Very. Using an RFID reader purchased on eBay, white-hat hackers from DN-Systems consulting recently demonstrated to the BBC how they can download British e-passport data to their computer and then write it to a new, blank RFID chip to create a perfect digital clone. Sure, the hack requires access to the software used by border police, but apparently, this is already out in the wilds. Astounding, huh? Yeah, but it’s not new. This is the same hack we’ve seen repeatedly demonstrated in Germany, the US, The Netherlands, Ireland, etc.

What’s notable here is the lack of incredulity imparted by the spokesman for the UK Home Office who said, “It is hard to see why anyone would want to access the information on the chip.” Identify theft, maybe? True, British e-passports unlike those issued by other countries, do not (currently) store fingerprint scans in the chip and the encryption is just one aspect of the passport’s overall security. However, with these mechanisms also circumvented, shouldn’t our government officials be just a tad concerned?

First up, we think it’s worth making it clear that by linking and writing about this guide we’re not advocating that you go out and steal DVDs from your local retailer. With that out of the way, we’ve got to give slyfox117 over at instructables a bunch of kudos for figuring out how to gracefully remove a red security DVD lock: our typical method for removal after a store clerk forgets to take it off is to viciously tear the box apart. Using nothing but magnets (one of which slyfox extracted from an old hard drive), a bit of wiggling, and some carefully applied pressure, slyfox found it was possible to remove the lock and gain access to the contents of the case. He also has plans to find a way of opening full size anti-theft cases. Before you argue that the likeliness of a clerk forgetting to remove one of these precludes the need for such a how-to, might we remind you of our Lockdown series of posts? Remember kids, exposing weaknesses forces companies to be active about improving the security that should have been stronger in the first place.