Posted by Eric Torres on Wed, Aug 31, 2011 @ 04:47 PM
Various Internet security firms report a new Internet worm is spreading in the wild and taking advantage of weak passwords on Windows systems.
First reported Sunday, the Morto worm or Win32/Morto appears to be an old-school Internet worm, a rarity in recent years when Trojans and bots make up the majority of new malicious samples. Morto displays a mixture of sophistication and directness in its search for server prey.
According to multiple reports, Morto infects Windows workstations and servers, but spreads via the Windows Remote Desktop Protocol (RDP), an element of the Windows Remote Desktop Connection service that allows a Windows PC or server to be controlled remotely.
Once loading itself as a hard-to-detect service within the Windows svchost.exe, the malware opens a Remote Desktop Protocol (RDP) connection on port 3389, it cycles through IP addresses it detects on any subnets and tries to connect using a simple dictionary list of password possibilities.
Some of the passwords on its list include admin, admin123, user, test, *1234, letmein, password, server and 1234567890, according to an entry on Microsoft's Malware Protection Center (MMPC). Once the worm figures out the weak password, it connects to the remote system and copies itself. Several Morto variants have already been identified.
If the worm gets lucky and guesses a correct password on the server, it then copies itself to the victim system and tries to elevate its own process to gain Administrator control before downloading further components.
Microsoft confirmed the existence of the worm in a TechNet blog post Sunday, but it remains unclear which versions of Windows may be vulnerable and the extent to which it is spreading successfully.
In its post, Microsoft also advised the use of strong passwords, which should include 14 characters or more, and have a variety of letters, punctuations, symbols and numbers.
As Microsoft’s researchers point out, Morto needs no software exploit to perform its job, only weak passwords of the sort that plague even well-defended networks full of more devices that can easily be managed by the teams looking after them.
"This particular worm highlights the importance of setting strong system passwords," said Microsoft's Hil Gradascevic. "The ability of attackers to exploit weak passwords shouldn't be underestimated."
It is important to remember that this malware does not exploit a vulnerability, but instead relies on weak passwords. River Run encourages our readers to use strong passwords to help protect their systems. We also encourage users to enforce both strong passwords and regular password changes.
Posted by Eric Torres on Fri, Aug 12, 2011 @ 10:12 AM
Members of the notorious hacker group Anonymous have set their sights on taking down Facebook. They have even set a date, November 5th.
The 'hacktivists', infamous for meddling with the American government, launching cyber-attacks on Sony, News Corp, Amazon, Pay Pal, Master Card, Visa and the Pentagon, among other targets and for their support for WikiLeaks, have announced that they will focus on bringing down the social networking site because of its privacy policy.
The announcement was made in a YouTube video and sites allegations of privacy infringement. Anonymous members accuse Facebook of selling information to government agencies and giving clandestine access to information security firms so they can spy on people from all around the world.
"Everything you do on Facebook stays on Facebook regardless of your 'privacy' settings, and deleting your account is impossible, even if you 'delete' your account, all your personal info stays on Facebook and can be recovered at any time," the statement reads. "Changing the privacy settings to make your Facebook account more "private" is also a delusion. Facebook knows more about you than your family."
The chilling video, a two-minute warning and explanation using a computerized voice, begins: "Attention citizens of the world, your medium of communication you all so dearly adore will be destroyed."
Anonymous, whose members have been known to wear Guy Fawkes masks - copying the film V for Vendetta - when they appear in public, has launched what it calls 'Operation Facebook'. It has pledged to bring down Facebook on November 5 - Bonfire Night - which commemorates the day in 1605 when Guy Fawkes tried to blow up Parliament.
Recently fourteen members of Anonymous have been arrested by FBI agents on charges related to their alleged involvement in the distributed denial of service (DDoS) attacks against online payment processor PayPal late last year. Further arrests and indictments are expected as authorities continue their investigations into other Anonymous attacks.
The Village Voice was actually one of the first to discover the Anonymous statement and brings up a very good point: killing Facebook for the sake of preserving privacy by a group of people who routinely steal private information is awfully ironic. How can the group be so adamant about privacy if they themselves are responsible for the theft of private information?
Anonymous said November 5th “will go down in history.” It added, “One day you will look back on this and realize what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you.”
Even though Anonymous has had success in hacking some major websites in the past, it’s questionable that it would be successful against Facebook. It might not have been the smartest idea to give Facebook several months to prepare for an attack. Many believe it will be extremely unlikely Facebook would be brought down, but when you’re talking about a group of hackers with motivation and disdain, you can never be certain.
UPDATED: Video has since been removed by user. Please find the Anonymous Threat video here. http://www.youtube.com/watch?v=Q6crH8qmyZ8
Posted by Eric Torres on Thu, Aug 11, 2011 @ 03:49 PM
A computer system at the University of Wisconsin-Milwaukee was hacked and bugged with malicious software.
According to the Milwaukee Journal Sentinel, malicious code was discovered on a document management database server. The university contacted law enforcement and after a month-long investigation realized that the database on the system contained over 75,000 records that included social security numbers for both students and employees.
Although this breach, which was discovered back on May 25, could have exposed the names and Social Security numbers of some 75,000 students, faculty and staff, UWM officials told the newspaper that the university has no evidence that information was looked at or used.
Nobody is sure how long the malware was running on the server, but it was shut down once the breach was found. UWM leaders are suggesting someone might have been trying to gain access to the university's computers for a different reason. It is suspected that the software was being used to identify cutting edge research that the school is working on, but that has yet to be confirmed.
"We are a research institution with a significant number of projects under way. It is theorized that this may have been an attempt to look at work being done," Tom Luljak, UWM's vice chancellor for university relations, told the newspaper. He added that the malicious software was installed remotely.
While the forensic investigation states that there is no evidence that the personal information was stolen, the school is still warning students to be vigilant by monitoring their credit history and putting a freeze on their credit report. It is also interesting to note that although most companies that suffer data breaches end up offering one year of free credit monitoring to the victims, the University of Wisconsin says that since there was no evidence the data was stolen, they will not offer the free service.
It’s also good to know that while students may have had their identity stolen, the database contained no “academic information such as student grades,” so at least the attackers won’t be able to identify whether students passed their criminology courses.
For more information on the security breach, UWM has set up this
website.