Posted by Eric Torres on Wed, Aug 31, 2011 @ 04:47 PM
Various Internet security firms report a new Internet worm is spreading in the wild and taking advantage of weak passwords on Windows systems.
First reported Sunday, the Morto worm or Win32/Morto appears to be an old-school Internet worm, a rarity in recent years when Trojans and bots make up the majority of new malicious samples. Morto displays a mixture of sophistication and directness in its search for server prey.
According to multiple reports, Morto infects Windows workstations and servers, but spreads via the Windows Remote Desktop Protocol (RDP), an element of the Windows Remote Desktop Connection service that allows a Windows PC or server to be controlled remotely.
Once loading itself as a hard-to-detect service within the Windows svchost.exe, the malware opens a Remote Desktop Protocol (RDP) connection on port 3389, it cycles through IP addresses it detects on any subnets and tries to connect using a simple dictionary list of password possibilities.
Some of the passwords on its list include admin, admin123, user, test, *1234, letmein, password, server and 1234567890, according to an entry on Microsoft's Malware Protection Center (MMPC). Once the worm figures out the weak password, it connects to the remote system and copies itself. Several Morto variants have already been identified.
If the worm gets lucky and guesses a correct password on the server, it then copies itself to the victim system and tries to elevate its own process to gain Administrator control before downloading further components.
Microsoft confirmed the existence of the worm in a TechNet blog post Sunday, but it remains unclear which versions of Windows may be vulnerable and the extent to which it is spreading successfully.
In its post, Microsoft also advised the use of strong passwords, which should include 14 characters or more, and have a variety of letters, punctuations, symbols and numbers.
As Microsoft’s researchers point out, Morto needs no software exploit to perform its job, only weak passwords of the sort that plague even well-defended networks full of more devices that can easily be managed by the teams looking after them.
"This particular worm highlights the importance of setting strong system passwords," said Microsoft's Hil Gradascevic. "The ability of attackers to exploit weak passwords shouldn't be underestimated."
It is important to remember that this malware does not exploit a vulnerability, but instead relies on weak passwords. River Run encourages our readers to use strong passwords to help protect their systems. We also encourage users to enforce both strong passwords and regular password changes.
Posted by Eric Torres on Fri, Aug 12, 2011 @ 10:12 AM
Members of the notorious hacker group Anonymous have set their sights on taking down Facebook. They have even set a date, November 5th.
The 'hacktivists', infamous for meddling with the American government, launching cyber-attacks on Sony, News Corp, Amazon, Pay Pal, Master Card, Visa and the Pentagon, among other targets and for their support for WikiLeaks, have announced that they will focus on bringing down the social networking site because of its privacy policy.
The announcement was made in a YouTube video and sites allegations of privacy infringement. Anonymous members accuse Facebook of selling information to government agencies and giving clandestine access to information security firms so they can spy on people from all around the world.
"Everything you do on Facebook stays on Facebook regardless of your 'privacy' settings, and deleting your account is impossible, even if you 'delete' your account, all your personal info stays on Facebook and can be recovered at any time," the statement reads. "Changing the privacy settings to make your Facebook account more "private" is also a delusion. Facebook knows more about you than your family."
The chilling video, a two-minute warning and explanation using a computerized voice, begins: "Attention citizens of the world, your medium of communication you all so dearly adore will be destroyed."
Anonymous, whose members have been known to wear Guy Fawkes masks - copying the film V for Vendetta - when they appear in public, has launched what it calls 'Operation Facebook'. It has pledged to bring down Facebook on November 5 - Bonfire Night - which commemorates the day in 1605 when Guy Fawkes tried to blow up Parliament.
Recently fourteen members of Anonymous have been arrested by FBI agents on charges related to their alleged involvement in the distributed denial of service (DDoS) attacks against online payment processor PayPal late last year. Further arrests and indictments are expected as authorities continue their investigations into other Anonymous attacks.
The Village Voice was actually one of the first to discover the Anonymous statement and brings up a very good point: killing Facebook for the sake of preserving privacy by a group of people who routinely steal private information is awfully ironic. How can the group be so adamant about privacy if they themselves are responsible for the theft of private information?
Anonymous said November 5th “will go down in history.” It added, “One day you will look back on this and realize what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you.”
Even though Anonymous has had success in hacking some major websites in the past, it’s questionable that it would be successful against Facebook. It might not have been the smartest idea to give Facebook several months to prepare for an attack. Many believe it will be extremely unlikely Facebook would be brought down, but when you’re talking about a group of hackers with motivation and disdain, you can never be certain.
UPDATED: Video has since been removed by user. Please find the Anonymous Threat video here. http://www.youtube.com/watch?v=Q6crH8qmyZ8
Posted by Eric Torres on Thu, Aug 11, 2011 @ 03:49 PM
A computer system at the University of Wisconsin-Milwaukee was hacked and bugged with malicious software.
According to the Milwaukee Journal Sentinel, malicious code was discovered on a document management database server. The university contacted law enforcement and after a month-long investigation realized that the database on the system contained over 75,000 records that included social security numbers for both students and employees.
Although this breach, which was discovered back on May 25, could have exposed the names and Social Security numbers of some 75,000 students, faculty and staff, UWM officials told the newspaper that the university has no evidence that information was looked at or used.
Nobody is sure how long the malware was running on the server, but it was shut down once the breach was found. UWM leaders are suggesting someone might have been trying to gain access to the university's computers for a different reason. It is suspected that the software was being used to identify cutting edge research that the school is working on, but that has yet to be confirmed.
"We are a research institution with a significant number of projects under way. It is theorized that this may have been an attempt to look at work being done," Tom Luljak, UWM's vice chancellor for university relations, told the newspaper. He added that the malicious software was installed remotely.
While the forensic investigation states that there is no evidence that the personal information was stolen, the school is still warning students to be vigilant by monitoring their credit history and putting a freeze on their credit report. It is also interesting to note that although most companies that suffer data breaches end up offering one year of free credit monitoring to the victims, the University of Wisconsin says that since there was no evidence the data was stolen, they will not offer the free service.
It’s also good to know that while students may have had their identity stolen, the database contained no “academic information such as student grades,” so at least the attackers won’t be able to identify whether students passed their criminology courses.
For more information on the security breach, UWM has set up this
website.
Posted by Eric Torres on Thu, Jun 09, 2011 @ 08:55 PM
It is being reported that hackers have stolen the details of thousands of Citibank customers including their account details and personal information. As it turns out, this isn’t actually today’s news. This major security breach, resulting in the theft of personal information for nearly 200,000 Citibank customers, was actually stolen last month. You hadn’t heard? Neither have we, and that’s because Citibank chose to keep quiet about it until today.
Reuters is reporting that Citibank's systems were hacked, resulting in a loss of Personally Identifiable Information (PII). Citibank says that data for 1% of their cardholders was accessed through this breach, but customers' Social Security Numbers (SSNs), birth dates, card expiration dates and CVV codes are safe. Information that may have been disclosed to the hackers includes customers' names, account numbers, contact details and email addresses.
According to Citibank's website they are the world's largest provider of credit cards, issuing more than 150,000,000 cards globally, but since the breach was reported localized to North American customer data, only about 200,000 accounts were affected. I say “only” lightly, because this could have much, much worse if it weren’t localized to North American customers.
Customers affected by this incident should be on high alert for scams, phishing and phone calls purporting to be from Citibank and their subsidiaries. While Citi customers aren't likely to have fraudulent charges against their accounts as a result of this breach, they are likely to encounter social engineering attempts to enable further crime. Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims.
For Citibank customers (and the rest of us alike), there are some things you should keep an eye out for. Never accept incoming communications purporting be from financial institutions you do business with, whether by email or phone call. Call them back using only the phone numbers published on your cards or statements. When logging in to perform online transactions, always enter their website address directly in your browser, never click links or shortcuts.
Citybank is just the latest company to be hit by hackers. The most high profile was electronics and gaming giant Sony, where the details of millions of customers were stolen. It is getting uglier out there, and there is no time like right now to get your personal security house in order, though in the case of both the Citibank and Sony attacks, it wouldn't have made a whole lot of difference.