Archive for November, 2009
New Worm Attacking Skype users
Posted by Mourad Ben Lakhoua in News on November 28, 2009
Security experts at Trend micro warned of a new attack targeting Skype users, this attack are a Botnet similar to Koobface that made a big panic on Facebook.
According to the report the Botnet steals the users contact list, phone numbers, location,and other information on skype and it spread the malicious code over these contact contains URL links on the Instant message point to an infected website containing Trojan.
Here what is mentioned about the Botnet:
Though TROJ_VILSEL.EA’s behavior is largely similar to previous Koobface variants (the target application excluded), it is actually not a member of the infamous malware family. Both the malicious code and network behavior differ from previously known Koobface variants. It would not be a great surprise, however, if the actual Koobface cybercriminals produce their own variant with this behavior.
This development only highlights the ingenuity of cybercriminals in going after targets using tried-and-tested ways to spread their malicious creations. Trend Micro Smart Protection Network protects users from this attack by blocking access to the malicious URL, thereby preventing users’ systems from getting infected.
Now the most important is to make sure that you check the pc you use skype and other voip application from for rootkits and Trojans.
make sure you subscribe to my RSS feed!
Mandriva Flash 2010 – A mobile 3D Desktop on a USB Stick!
Posted by Mourad Ben Lakhoua in News on November 28, 2009
Mandriva has released new USB-drive Mandriva Flash 2010, this version of OS will be out in the market by the mid of December. The USB stick have 8GB of storage, 6 GB users can store documents and files while the OS will take 2GB.
According to Mandriva the release can fit perfectly with people that travel often so he will not need to take his laptop every where just USB and boot and you can work directly on any available machine.
The OS includes Firefox, Thunderbird, Skype, Openoffice and other useful applications. You can also transform a PC in an impressive 3D desktop with lots of animations and effects in a fast and easy way.
You can order Mandriva Flash 2010 here.
London Stock Exchange Suffered a System Failure Again
Posted by Mourad Ben Lakhoua in News on November 28, 2009
On Thursday at 9:32 London Stock Exchange (LSE) one of the largest stock exchanges in the world has experienced a failure for more than three hours. This failure has resulted a lost of more than 5 percentage points to 62.85 percent of FTSE 100 stocks. The problem gave investors a negative impression of the current situation of LSE.
This was not the first time that the LSE occur a failure due to Technical Issues, on September 2008 Traders were not able to sell or buy stocks because of computer software glitch, In an attempt to improve their market LSE has recently acquired for £18 million (US$30m) MillenniumIT to make it as another platform to help avoiding technical problems.
For LSE A failure of an hour can mean billions of dollars of lost trades and LSE also faces competition from other traders such as Chi-X and BATS. So a certain failure can cause a serious lost.
make sure you subscribe to my RSS feed!
Guest blog : Keeping Your IT Systems Secure and Up to Date
Posted by Mourad Ben Lakhoua in Guest blog on November 23, 2009
For organizations that want to keep their computer network secure, the most basic thing they can do is to keep it patched.
It’s not necessarily the most glamorous work out there for your overworked and overstretched IT people (which is why so many organizations are ignoring patching, at their peril). But your servers, network systems, routers and switches need to get patched regularly to prevent vulnerabilities. When systems don’t get patched, organizations can end up with a data breach.
The good news is that security patches are often automated. The bad news is that oftentimes, you will need to configure your system to receive those patches. Patch management also must be monitored carefully to avoid security threats that could try to take advantage of a fully-automated approach. Install-and-forget isn’t an option.
Some critical keys to successful security patch management are the development of a rigorous schedule and expertise to conduct patch testing to check that promised security improvements are actually working (and if not, finding a fix for that). As well, regularly-scheduled assessments should also be done to ensure that patched systems are truly compliant with both your business needs and regulations. For instance, the process of data transferral should be assessed to ensure confidential information is encrypted or otherwise secure.
There are numerous software packages which allows for central management across many OS platforms and applications. No IT department should be without one.
IT departments ought to continue to devote their time to developing solutions that meet business needs, but should also be scheduling time to take care of security patching. It’s not glamorous, but neither is finding that your organization has suffered a data breach.
Contributed by Vaclav Vincalek, PCIS President and author of the Pacific Coast Informer Blog
make sure you subscribe to my RSS feed!
Donbot Leads a Way To Twitter Spam
Posted by Mourad Ben Lakhoua in News, Social Networking, Web Security on November 21, 2009
One more time major botnets are using social networking websites to spread spam.
Symantec’s MessageLabs warned lately that DonBot are started a new massive spamming message, the Lab detected from 18 November 4% of global Spam traffic.
The spam message includes an offer to work from home with a 100-200 dollars daily salary and to be considered for this opportunity the victim should send an initial payment and wait for the golden ticket.
The message also includes an image with link to redirect victim to twitter page and gives hackers a way to hijack Twitter accounts and spam other users.
This shows that more http links in instant messaging conversations are making a way to “instant malware.”
If you are receiving a message on Twitter try to not click directly on the short link and to check the original URL. By checking on LongURL.org which can helps in expanding the URL and avoid phishing, malware, and viruses by examining short URLs before visiting them and Find out where links really take you.
You can also use on Mozilla firefox Tamper Data plugin that helps to test web application security and track request and responses from the URL Link.
make sure you subscribe to my RSS feed!
Quick Tips to Fight DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security, cybersecurity on November 21, 2009
On previous post we shared the way to prepare our system to DDoS attack and the way to mitigate the risk. Now it is important to react in the good moment and make an effective action during the attack. Monitoring routers connection can help victim to detect the beginning of the attack.
First we should monitor the open Syn connections:
# Netstat-na | grep “: 80 \” | grep SYN_RCVD
At the normal situation the number should not pass the three connections. If there is more open connection than you are under attack and you should start by dropping these connections.
This is for the SYN-Flood case but for the HTTP-flood it is more complicated to detect, First you need to count number of Apache processes and number of port 80 connections:
# Ps aux | grep httpd | wc-l
# Netstat-na | grep “: 80 \” | wc-l
Next you need to check the IP-addresses list:
# Netstat-na | grep “: 80 \” | sort | uniq-c | sort-nr | less
To be sure that there is HTTP-flood attack is impossible but you can assume that you are under attack if one address in the list is repeated too many times. Additional evidence can be made using tcpdump:
# tcpdump -n -i < interface > -c 100
the Tcpdump will help you in tracking the source of the attack if a big number of packets targeting a single port / service (cgi-script or web directory).
Finally we have to start to work around the situation by dropping malicious IP-addresses. You can block IP’s directly from the router.
On the FreeBSD we can take some steps to avoid DDoS:
1 – Reduce the packet request time (protection against SYN-flood):
# Sysctl net.inet.tcp.msl = 7500
If an ACK is not received in this time, the segment can be considered “lost” and the network connection is freed.
Move your server in a blackhole when a TCP packet is received on a closed port. When set to ’1′, SYN packets arriving on a closed port will be dropped without a RST packet being sent back
# Sysctl net.inet.tcp.blackhole = 2
# Sysctl net.inet.udp.blackhole = 1
Limits ICMP replies to 50 per second (protection against ICMP-flood):
# Sysctl net.inet.icmp.icmplim = 50
Increase the maximum number of sockets to the server that can be open (protection against all types of DDoS):
# Sysctl kern.ipc.somaxconn = 32768
Finally enable a kernel feature called DEVICE_POLLING (significantly reduces the load on the system during DDoS Attack):
1. Compiling the kernel with option “options DEVICE_POLLING”;
2. Activate the mechanism of polling: “sysctl kern.polling.enable = 1″;
3. Add the entry “kern.polling.enable = 1″ in / etc / sysctl.conf.
These are a well balanced steps to mitigate getting exposed for Distributed Denial of Service Attack.
make sure you subscribe to my RSS feed!
Metasploit Framework 3.3 New Stable Release
Posted by Mourad Ben Lakhoua in News, Pentesting, Software Security on November 18, 2009
A new release has been recently announced by Metasploit Team, Metasploit framework helps to perform penetration testing and creating a new exploit for the available bugs.
The Metasploit platform is used by professionals in the Network security, Network admin, developers and researchers to test the security level of any new system installed. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. Metasploit is an open source project managed by Rapid7. The software packages are based on Ruby and C.
The process of developing Metasploit Framework 3.3 has taken about 12 months. The new version includes 120 new exploit modules, over 100 new auxiliary modules, and 180 bug fixes. The release notes are online and you can download the Toolkit immediately.
Universal Tips to Avoid DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security on November 15, 2009
There are some points that can helps to carefully prepare our systems to avoid Distributed Denial of Service:
1- Prepare a simple and fast way to reboot remotely servers exposed to external network (webservers ,mailservers ,application servers..) this can be using SSH, we can also create a second network interface to access the server while the main channel is down.
2- Keeping all software packages up to date, to protect our systems from DoS attacks that exploit bugs in the available services.
3- Restrict access to all admin services to only authorized users, for example using IP restriction for acceding devices like firewalls, routers and network devices so an attacker will not be able to lunch a DoS attack or brute force.
4- Monitor the traffic by installing network analyzing tools (Netflow) on the routers to help identify the attack in an early phase and react to prevent it as soon as detected.
5- Adding to /etc/sysctl.conf the following lines:
# Vi /etc/sysctl.conf
# Protection against spoofing
net.ipv4.conf.default.rp_filter = 1
# Check TCP-connection every minute.
net.ipv4.tcp_keepalive_time = 60
# Repeat the test in ten seconds
net.ipv4.tcp_keepalive_intvl = 10
# Attempts number before closing the connection
net.ipv4.tcp_keepalive_probes = 5
Here it is very important to note that the listed method aims only to reduce the risk of DDoS attack, and can protect against small botnets and you can consider 90% that your server is protected against these attacks. There is more sophisticated ways like load balancing method which is extremely expensive, so if a server fails all new clients will be redirected to a clustered server and provides a very high availability.
make sure you subscribe to my RSS feed!
Panda Cloud Protection Secure Endpoints and Emails
Posted by Mourad Ben Lakhoua in Anti-Viruses, News on November 11, 2009
Panda Security software company has released a new solution aims to protect email and computers from Today’s major threats including spyware, rootkits and viruses.
Panda Cloud system has been firstly introduced as a beta version in the beginning of April. It was the first AV solution that are based on the concept of software as a service to address many key issues in the small and medium businesses like eliminating the traditional costs and time associated with the antivirus implementation (Hardware and software) and no additional money for maintaining the AV solution.
The Cloud Antivirus works by classifying threats into executables that must be scanned immediately, and non-executables that are checked at a lower priority usually when the machine is idle this help in treating a great amount of data without consuming the memory resources during the work.
you can find more details here.
make sure you subscribe to my RSS feed!
iPhone Next up for Hackers
Posted by Mourad Ben Lakhoua in News, Vulnerabilities on November 8, 2009
Botnets is becoming the biggest threat and arrived to all system in the globe even mobile devices, I don’t think that there is a person have not been a victim to Botnet, there is many people thinks that the operator is responsible of spamming their customers but this is not true.
Security professionals are always expecting the damage before it happens and try to solve the serious issue; today hackers have changed their landscape to get more benefit from there Cybercrimes.
The first important point to note that modern phones have wireless adapters. This can make them always online and vulnerable to such attack. Here I wanted to list some technical specification to demonstrate the benefits from implementing mobile-phone zombies comparing to classical infected machines:
1. Fast IP-address changing.
2. Low connection speed.
3. Ability to receive commands from the GSM network without the Internet (SMS..).
4. No Antivirus and Antispyware on the device.
5. No traffic control by the owner.
6. Storing personal data in the phone (credit card numbers, PINs, accounts, addresses, and so on.).
7. Calls and sending SMS.
8. Locator on the map GSM or GPS (if your phone has a controller).
9. Recorder (as a listening device).
As you can see here are 9 features that can serve Hackers perfectly to do their job. And by the way the list can be extended.
Now what is the tactic that hackers perform to implement botnets?
Usually they start by scanning the network searching for vulnerable hosts. The computers are identified by IP address but for the iphone it is identified by the IMEI a unique code issued by the manufacture. This code is also used to identify a stolen phone so if you lost your phone the Cellular operator can find it on the network using this ID. However the same IMEI are used for identifying the phone for the Zombies network.
After identifying the phone a Trojan should be executed by an infected website or any other way and this Trojan acts as a back door and opens a port on the local phone for connections. To get the instruction from a remote host and here the phone will act as the attacker desire sending spam for advertisement changing the wallpaper or Listening to the conversations. While there is no AV and no traffic control as a firewall… this phone will remain part of botnet.
Here is the First iPhone worm discovered and reported today by sophos.
The good news here is that this Bot network is not very big but we should be very careful about the iPhone sources and what we install on it (games, applications…).
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for November, 2009
SUBSCRIBE
Latest Comments