Site do cartão do cidadão e AMA comprometidos


O site oficial do Cartão de Cidadão (onde os portugueses podem descarregar o software oficial do cartão de identificação) e o site da Agência para a Modernização Administrativa foram comprometidos por um grupo intitulado de  hack_addicted.pt.

Foram deixadas as seguintes mensagens por este grupo:

ola ola tenho o root do mysql =) hack_addicted.pt

(...)

Notícia completa em websegura.net

supply chain...

Era de prever: "the [US] government is pushing for Sprint to pull radio base stations manufactured by [the Chinese] Huawei already installed on the network of wireless broadband company Clearwire. Sprint is a partner in Clearwire and is in the midst of acquiring it. Clearwire markets wireless broadband in the US under the CLEAR brand."

fonte: ArsTechnica

Symantec 2013 Internet Security Threat Report

Saiu recentemente o relatório de 2013 da Symantec. "Key Findings":


  • 42% increase in targeted attacks in 2012.
  • 31% of all targeted attacks aimed at businesses with less than 250 employees.
  • One waterhole attack infected 500 organizations in a single day.
  • 14 zero-day vulnerabilities.
  • 32% of all mobile threats steal information.
  • A single threat infected 600,000 Macs in 2012.
  • Spam volume continued to decrease, with 69% of all email being spam.
  • The number of phishing sites spoofing social networking sites increased 125%.
  • Web-based attacks increased 30%.
  • 5,291 new vulnerabilities discovered in 2012, 415 of them on mobile operating systems.


Fraud as a Service (FaaS)

do blog da RSA:


A recent discovery by RSA researchers shows a new FaaS offering that is being marketed directly via a popular social network. The sale item: a customized botnet panel programmed to work with the Zeus Trojan – both reworked by what appears to be an Indonesian-speaking malware developer.

Beyond having compiled a working Zeus Trojan kit, the developer customized an attractive control panel for the admin (basic and familiar in functionality, and taken from previous Zeus versions), the developer and his team created a demo website for potential buyers – which they have no qualms about sharing publicly, and best of all—a Facebook page with frequent updates and information about botnets, exploits, cybercrime, and their own product (Zeus v 1.2.10.1).

Linux/Cdorked.A, Darkleech, Blackhole, trojanized DNS servers

da ArsTechnica:


Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too

(...)

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

(...)

Previously, Cdorked was known to infect only sites that ran on Apache, which remains by far the Internet's most popular Web server application. According to this month's server survey from Netcraft, Apache and nginx are the No. 1 and No. 3 packages respectively, with about 53 percent and 16 percent of websites. The survey didn't rank Lighttpd, a Web server designed for speed-critical sites that's used by sites including Meebo, YouTube, and Wikimedia, according to Wikipedia. The report of the susceptibility of nginx came as its maintainers issued an update that patches a remote-code execution vulnerability in the open-source Web server. (There's no evidence the vulnerability is related to the Cdorked infection.)

Linux/Cdorked.A is one of at least two backdoors recently observed causing trusted and often popular websites to push exploits that attempt to surreptitiously install malware on visitors' computers. Like Darkleech, a backdoor estimated to have infected 20,000 Apache websites, it redirects users to a series of third-party sites that host malicious code from the Blackhole exploit kit. A recent blog post from security firm Invincea reports another rash of website hijackings, but they appear to be unrelated to Cdorked, and there's no indication Darkleech is involved, either.

(...)

"We believe the operators behind this malware campaign are making significant efforts to keep their operation under the radar and to hinder monitoring efforts as much as possible," Eset researcher Marc-Etienne M.Léveillé wrote in a blog post published Tuesday. "For them, not being detected seems to be a priority over infecting as many victims as possible."

Cdorked-infected servers are also advanced enough to distinguish among different computing platforms used by end users visiting infected sites. Those using Windows machines are directed to sites that mostly host exploits from Blackhole. People using Apple iPads or iPhones are redirected to porn sites that may also be hosting malicious code. Cdorked also stores most of its inner workings in a server's shared memory, making it hard for some admins to know their sites are infected. Compromised systems can receive up to 70 different encrypted commands, a number that gives attackers fairly granular control that can be remotely and stealthily invoked.

In another testament to the ambition of its operators, Cdorked relies on compromised domain name system servers to resolve the IP addresses of redirected sites. The use of "trojanized DNS server binaries" adds another layer of obscurity to the attacks, since they make it easier for attackers to serve different sites to different end users.

"They are using the compromised DNS server to very accurately filter out who is going to visit the next stage Web server," Bureau said in an interview. "This means, for example, that security researchers will have a very hard time being served the same content as a victim. It makes the investigation and tracking this operation harder. They are trying to control every step along the way to make every visit very traceable but also very hard to recreate."

(...)

notícia completa na ArsTechnica

sysadmin malicioso

um caso real:

Indictment: Sysadmin passed over for promotion quits, then strikes back
Angry "ERP Guru" allegedly steals credentials, wreaks havoc on former employer.
ArsTechnica

The idea of the disgruntled sysadmin turning techno-Robin Hood and giving his or her employer a taste of their own medicine is almost universally popular on tech-centric sites and message boards. However, things almost never work out positively for the people who turn revenge-fantasy into reality. The latest sysadmin to strike back, Smithtown, NY-based Michael Meneses, is facing federal charges for allegedly causing over $90,000 in damage to his employer, the Spellman High Voltage Electronics Corporation.

According to the New York Times and several other sources (including ComputerWorld), Meneses' primary task at Spellman was managing the company's enterprise resources management application. As anyone who's been in IT for any length of time knows, ERP applications are almost always cranky and expensive beasts that require employees dedicated to their care and feeding. (...)

Meneses was one of two employees responsible for the ERP management and customization, and multiple sources describe Meneses as being angry in late 2011 for being passed over for promotion. So angry, in fact, that he allegedly tendered his two-weeks notice in response. His role as ERP administrator gave him privileged access to at least some of the company's IT systems, and though it's impossible to say exactly what happened, the Times' piece reports that before his access was removed, coworkers witnessed Meneses copying files off of his company computer onto a flash drive.

After his employment was terminated, the FBI claims Meneses embarked on a three-week revenge campaign against the company, causing "over $90,000" in damage to Spellman's business. The actual descriptions of what Meneses is supposed to have done and the methods allegedly used are annoyingly vague across all the available sources, with all agreeing that he "hacked into the company's network." According to the reports, Meneses then deployed "a program that captured user log-in names and passwords" of his former coworkers. The FBI's press release also says that he used stolen user credentials to access Spellman's network via a VPN connection, where he then "corrupt[ed] the network," whatever that means.

(...)

notícia completa