Month: November 2014
Security experts are warning of a new hacktivist campaign which goes further than merely defacing websites, by linking to malware which could allow for remote code execution by an attacker.
The group in question claims to be part of the ‘AnonGhostTeam’ collective which has targeted government and mass media sites in the past, Zscaler security researcher Chris Mannon explained in a blog post.
“This appears to be a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites,” said Mannon.
“This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.”
Dokta was serving up a malicious payload for recently disclosed Microsoft vulnerability CVE-2014-6332, which was fixed earlier this month with bulletin MS14-064.
This can cause remote code execution if the victim visits a specially crafted webpage using Internet Explorer. The flaw is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory, Mannon explained.
The attackers are focusing only on 32-bit Windows users and IE, with the exploit code crafted to ensure the cycle is terminated if it’s detected that the machine is not using IE or Windows, or is a 64-bit system.
Western media sites have again been hit by the Syrian Electronic Army hacking group which breached the popular commenting platform Gigya resulting in popups appearing on news outlets such as the Independent in the early hours of this morning.
Other sites affected by included well-known media properties such as CNBC, The Telegraph, The Chicago Tribune and PC World.
According to Gigya chief executive Patrick Salyer, the hackers managed to alter the whois domain registration record for gigya.com.
Salyer insisted that this was the only consequence of the hacking and that no data of any kind had been compromised, and that the Gigya platform itself was safe.
Gigya has rectified the incorrect whois record, and the correct DNS pointers are now propagating through the worldwide lookup system.
The Syrian Electronic Army is an unknown group of hackers, possibly affliated with the regime of the country’s dictator Basheer al-Assad.
Vodafone accidentally leaked the records of over 1,700 News UK journalists and staffers to the Metropolitan Police Service (MPS) after the cops requested the details of just one hack under investigation last year, it has emerged.
The Met demanded the call records of a Sun journalist in October last year as part of Operation Elveden – an investigation into the payment of public officials by hacks in return for private info.
However, due to what it claims was “human error” Vodafone accidentally handed over the phone records of 1,757 people working at the Murdoch-owned News UK.
Those people included “journalists, lawyers, secretarial staff and senior executives covering the years 2005-07,” according to The Times.
However, despite knowing the data had been sent to them by accident, the Met analyzed it in its entirety, building a spreadsheet of all outgoing calls made from the 1,700+ phones in question.
It was apparently months before the police notified the authorities of the error and sent a copy of the data back to Vodafone.A spokesman for the operator told The Times in a statement that the dataset could have been corrupted.
“We wrote to the Met to express our grave concern that the police continued to retain the data released to them in error and made it clear to them that any assumption that meaningful conclusions could be drawn from any aspect of the corrupted dataset was highly questionable,” he added.
A Met spokesman, meanwhile, said the MPS had consulted with the Interception of Communications Commissioner’s Office (IOCCO), and the Information Commissioner on what it should do with the data.
A message from the hackers bears a picture of a skeleton and threatens to release the company’s “top secrets”
Sony Pictures Entertainment was forced to shut down its worldwide email and computer network on Monday after being targeted by hackers who threatened to reveal the company’s “secrets.”
A message entitled “Hacked by #GOP” with a picture of a skeleton in the background appeared on company computers Monday morning, Deadline.com reported.
“We’ve already warned you, and this is just a beginning,” the message read, going on to state that the hackers have obtained “all your internal data including your secrets and top secrets.” They then threatened to release the data by 11 p.m. if their demands aren’t met, but no demands have apparently been made clear yet.
Follow Wired Twitter Facebook RSS Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer
It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion into the EU’s legislative body was sophisticated and widespread and used a zero-day exploit to get in. Once the attackers established a stronghold on the network, they were in for the long haul. They scouted the network architecture for additional victims and covered their tracks well. Eventually, they infected numerous systems belonging to the European Commission and the European Council before being discovered.
Two years later another big target was hacked. This time it was Belgacom, the partly state-owned Belgian telecom. In this case, too, the attack was sophisticated and complex. According to published news reports and documents leaked by Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials to gain access to routers controlling the telecom’s cellular network. Belgacom publicly acknowledged the hack, but has never provided details about the breach.
Then five months after that announcement, news of another high-profile breach emerged—this one another sophisticated hack targeting prominent Belgian cryptographer Jean-Jacques Quisquater.
Now it appears that security researchers have found the massive digital spy tool used in all three attacks. Dubbed “Regin” by Microsoft, more than a hundred victims have been found to date, but there are likely many others still unknown. That’s because the espionage tool—a malicious platform capable of taking over entire networks and infrastructures—has been around since at least 2008, possibly even earlier, and is built to remain stealth on a system for years.
The threat has been known since at least 2011, around the time the EU was hacked and some of the attack files made their way to Microsoft, who added detection for the component to its security software. Researchers with Kaspersky Lab only began tracking the threat in 2012, collecting bits and pieces of the massive threat. Symantec began investigating it in 2013 after some of its customers were infected. Putting together information from each, it’s clear the platform is highly complex and modulated and can be customized with a wide range of capabilities depending on the target and the attackers’ needs. Researchers have found 50 payloads so far for stealing files and other data, but have evidence that still more exist.
Drupal Core – Vulnerabilities – SA-CORE-2014-006
- Advisory ID: DRUPAL-SA-CORE-2014-006
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2014-November-19
- Security risk: 14/25 (Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
- Vulnerability: Multiple vulnerabilities
Session hijacking (Drupal 6 and 7)
A specially crafted request can give a user access to another user’s session, allowing an attacker to hijack a random session.
This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content (“mixed-mode”), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.
Denial of service (Drupal 7 only)
Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).
This vulnerability can be exploited by anonymous users.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
- Drupal core 6.x versions prior to 6.34.
- Drupal core 7.x versions prior to 7.34.
Install the latest version:
- If you use Drupal 6.x, upgrade to Drupal core 6.34.
- If you use Drupal 7.x, upgrade to Drupal core 7.34.
If you have configured a custom session.inc file for your Drupal 6 or Drupal 7 site you also need to make sure that it is not prone to the same session hijacking vulnerability disclosed in this security advisory.
If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability disclosed in this security advisory. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113
The finding comes from a KPMG survey of 300 senior IT and HR professionals in organizations with 500 or more staffers. Some 74 percent said they are facing new challenges in cyber-security, and 70 percent admit their organization “lacks data protection and privacy expertise.” In addition, the majority said they are wary of their organization’s ability to assess incoming threats.
Even though 60 percent said they have a strategy for dealing with any skills gaps, 57 percent agree it has become more difficult to retain staff in specialized cyber skills in the past two years. In addition, 60 percent said they are worried about finding cyber experts who can effectively communicate with the corporate-side of the business and not just the IT department.