Solo Iranian hacker takes credit for Comodo certificate attack.
A solo Iranian hacker March 26 claimed responsibility for stealing multiple SSL certificates belonging to several Web sites, including Google, Microsoft, Skype, and Yahoo. Early reaction from security experts was mixed, with some believing the hacker’s claim, while others were dubious. During the week of March 21, conjecture had focused on a state-sponsored attack, perhaps funded or conducted by the Iranian government, that hacked a certificate reseller affiliated with U.S.-based Comodo. Comodo acknowledged the attack March 23, saying 8 days earlier, hackers had obtained 9 bogus certificates for the log-on sites of Microsoft’s Hotmail, Google’s Gmail, the Internet phone and chat service Skype, and Yahoo Mail. A certificate for Mozilla’s Firefox add-on site was also acquired. Comodo’s CEO said the week of March 21, circumstantial evidence pointed to a state-backed attack, and claimed the Iranian government was probably behind it. He based his opinion on the fact that only Iran’s government — which could tamper with the country’s domain name system to funnel traffic through fake sites secured by the stolen certificates — would benefit. Source: http://www.computerworld.com/s/article/9215245/Solo_Iranian_hacker_takes_credit_for_Comodo_certificate_attack
Microsoft: Mystery bug blocks Syrian secure Hotmail.
Microsoft is blaming a mystery bug for preventing access to the encrypted version of Hotmail, denying that it deliberately blocked access to the service in Syria. Microsoft told The Register March 25 Hotmail users who had already enabled the HTTPS version of the popular e-mail service were still able to use it. Only Hotmailers trying to turn on HTTPS for the first time in certain countries and languages were being blocked, the company said. Microsoft said it still does not know what caused the bug, but it has been resolved and the company is investigating the cause. The company said users in the Bahamas, Cayman Islands, and Fiji were also affected. Source: http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/
Another zero-day exploit for SCADA systems.
According to ICS-CERT, the software is used in 38 countries, including the United States, Australia, the United Kingdom, Poland, and Canada. Source:
Randomization of code and binaries for evading AV solutions. A detection evasion technique by a site that serves fake AV has recently been spotted by a Zscaler researcher. The site’s source code was randomized so that each time a user visits the site, he is presented with a different fake count of supposedly found malware and a different malicious binary masking as an AV solution to download. "The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns," the researcher noted. Even though the offered malware changes with each visit and the various files have different MD5 hashes, the size of the malicious binaries is always the same. All these files have a pretty low detection rate (around 19 percent on VirusTotal). "This demonstrates that pure pattern matching engines will fail to detect the attack based on pattern matching strings in source code," the researcher concluded. "Randomization of malicious binaries will also evade good antivirus engines." Source: http://www.net-security.org/malware_news.php?id=1675 55. March 24, V3.co.uk – (International) Security expert warns of targeted attacks on senior execs. Attackers could use the practice of "vanity" searches to carry out targeted attacks, according to security experts. The chief executive of Trusteer suggested attackers could infect PCs belonging to high-level executives by lacing pages with search terms associated with the target’s name or company. He explained that, to keep tabs on news coverage, many executives have Google Alert settings that comb the engine for mentions of their own name, a practice known as a "vanity search." An attacker could craft a malicious page with an exploit tool or attack code. The malicious page could then be loaded with words associated with the individual or company being targeted. The attack page would then appear on the target’s vanity searches, possibly luring an executive or other high-value target into a malware attack. Trusteer’s CEO said the potency of the attacks could be increased by the use of zero-day flaws in combination with personal information gathered through services such as LinkedIn. Source:
MySQL Web site falls victim to SQL injection attack.
Oracle’s MySQL.com customer Web site was compromised the weekend of March 26 and 27 by a pair of hackers who publicly posted usernames, and in some cases passwords, of the site’s users. Taking credit for the hack were "TinKode" and "Ne0h," who wrote the hack resulted from a SQL injection attack. The vulnerable domains were listed as www.mysql.com
and www-jp.mysql.com. According to a post on the Full Disclosure bug mailing list March 27, MySQL.com ran a variety of internal databases on an Apache Web server. The information posted included a raft of password hashes, some of which have now been cracked. Among the credentials in a dump of the information posted on Pastebin were passwords for a number of MySQL database users on the server, and the admin passwords for the corporate blogs of two former MySQL employees. Source: http://www.computerworld.com/s/article/9215249/MySQL_Web_site_falls_victim_to_SQL_injection_attack
Anonymous launches new DDoS attack against RIAA.
The Anonymous hacktivist collective has launched new distributed denial-of-service (DDoS) attacks against the Recording Industry Association of America (RIAA), after the trade group sued LimeWire. LimeWire was discontinued last October after RIAA won a permanent injunction forcing its creator, Lime Wire LLC, to disable the program’s searching, downloading, uploading, file trading, and/or all of its functionality. Earlier in March, on behalf of music labels, RIAA filed a statutory damage claim of $150,000 for each of the 11,000 songs illegally shared by LimeWire users. RIAA’s request was rejected by a judge of the U.S. District Court for the Southern District of New York. Despite RIAA’s request being denied, the Anonymous collective mounted a DDoS attack against the trade association’s Web site. Source: