The phishing messages claim that the fasted way to receive one’s economic stimulus tax rebate is through direct deposit. They include a Web link to an online submission form designed to steal submitted information from those fooled into believing that providing personal data will hasten the arrival of their tax rebate.

The IC3 includes a sample phishing message that purports to be from the Internal Revenue Service. It warns recipients that failure to submit information by May 10th may delay the promised funds.

In fact, the IRS is sending economic stimulus payments out to about 130 million U.S. households this month, ranging from $300 to $1, 200. But it’s not sending anyone e-mail offering to hasten delivery through direct deposit of the funds.

“Consumers are advised that the IRS does not initiate taxpayer communications via e-mail,” IC3 warns. “In addition, the IRS does not request detailed personal information via e-mail or ask taxpayers for the PIN numbers, passwords, or similar secret access information for their credit card, bank, or other financial accounts.”

Furthermore, IC3 advises against opening e-mail from unknown senders or clicking on links in such messages.

According to the Anti-Phishing Working Group, 29,284 unique phishing reports were submitted to the organization in January, an increase of more than 3,600 from the previous month.

Read the rest of the story…

Related posts:

• Threat Alert: Spear Phishing
• PayPal Plans to Ban Unsafe Browsers
• How Anonymous Are You?
• ‘Long-Term’ Phishing Attack Underway
• YubiKey - One-time Password and Authentication Device

And surprisingly, according to many experts, the database — home of the enterprise’s crown jewels — is still not secured properly in many enterprises. Malicious hackers are using shockingly simple attack methods to break into databases, such as exploiting weak passwords and lax configuration, and capitalizing on known vulnerabilities that go unpatched.

And don’t even get us started on the epidemic of missing backup tapes: If the lost or stolen tapes are unencrypted, you’re toast if a bad guy gets hold of them. No hack required.

“One of the biggest problems is that many database attacks are not even known” about, says Noel Yuhanna, principal analyst with The Forrester Group. “The typical database may have 15,000 to 20,000 connections per second. It’s not humanly possible to know what all of these [connections] are doing.”

Hackers are well aware of enterprises’ database patch dilemma — in fact, they’re banking on a backlog. Gone are the days when companies could lock down a handful of databases in the data center: Most organizations today have hundreds, even thousands of databases to configure, secure, and monitor — and remote users, customers, and business partners all need access to them.

“The big thing that bothers me is when I go to a customer’s site, usually their [database] configuration is so weak that it’s easy to exploit. You usually don’t need buffer overflow or SQL injection [attacks] because the initial setup of the database is totally insecure,” says Slavik Markovich, CTO of Sentrigo, a database security vendor.

Database attacks don’t have to be complicated with all of this low-lying fruit hanging around. “Those are basic configuration problems, so a hacker doesn’t have to do something really sophisticated because these easy things work,” Markovich says.

Read the rest of the story…

Related posts:

• The Snare Of Unauthorized Requests
• Microsoft offers assistance to combat mass SQL injection
• Mass SQL injection
• sqlninja 0.2.2 Released - SQL Injection Tool
• SQL query injection for dummies

Please visit the “List of Tools” page for a complete list of what is included in the latest version of UBCD4Win.

Download here

Related posts:

• Who Killed My Hard Drive?
• How to Choose a Home PC Backup Method
• Dealing With Hard Drive Problems
• Beginners Guides: Back up and Restore Data in WinXP

Because of a virus infection, the Vietnamese language pack for Firefox 2 was polluted with adware, Mozilla security chief Window Snyder said in a blog posting. “Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy,” she wrote. “Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload.”

Mozilla is now going to add additional scans of its software to prevent this kind of thing from happening in the future, she said.

The malware in the language pack is from the Xorer Trojan, according to discussion on Mozilla’s Bugzilla developer Web site, which indicates that Mozilla developers first discovered the issue on Tuesday.

“I think it (happened) just because the author’s local network was infected with the virus, so it modified HTML files,” wrote developer Hai-Nam Nguyen. “The infected code just display(s) annoying banner but it can’t propagate.”

The open-source browser maker does not know how many people were infected with the adware, but the plugin was downloaded more than 1,200 times in the past week and has been downloaded 16,667 times since November.

On Wednesday afternoon, the Web page for the plugin was off-line as Mozilla scrambled to come up with a new, adware-free version of the language pack. In the meantime, users of the software should disable the plugin, Snyder said.

Source: PC World

Related posts:

• Why Your Computer Runs So Slowly
• Vista Security Is Annoying by Design
• USB malware on the rise
• Top 15 Malicious Spyware Actions
• Targeted attacks using malicious PDF files

• Using a new super-sensitive photonic electric field sensor, RedTacton can achieve duplex communication over the human body at a maximum speed of 10 Mbps.
• RedTacton uses the minute electric fieldemitted on the surface of the human body. Technically, it is completely distinct from wireless and infrared.
• A transmission path is formed at the moment a part of the human body comes in contact with a RedTacton transceiver. Physically separating ends the contact and thus ends communication.
• Using RedTacton, communication starts when terminals carried by the user or embedded in devices are linked in various combinations according to the user’s natural, physical movements.
• Communication is possible using any body surfaces, such as the hands, fingers, arms, feet, face, legs or torso. RedTacton works through shoes and clothing as well.

RedTacton Homepage

Related posts:

• Wireless modem considerations
• Protect Yourself From PC Security Pitfalls
• How to disable USB storage devices
• Detecting Rogue Wireless
• Wireless Security Gets Boost From New Round of Products

The details, the script source that is injected into webpages is hxxp://winzipices.cn/#.js (where # is 1-5).  This, in turn, points to a cooresponding asp page on the same server.  (i.e. hxxp://winzipices.cn/#.asp).  This in turn points back to the exploits.  Either from the cnzz.com domain or the 51.la domain.  The cnzz.com (hxxp://s141.cnzz.com) domain looks like it could be set up for single flux, but it’s the same pool of IP address all the time right now.  hxxp://www.51.la just points to 51la.ajiang.net which has a short TTL, but only one IP is serving it.

Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and “touch” you… even if you are looking at the “cached” page.  Proceed at your own risk.

UPDATE: We’re also see this website serving up some attacks in connection with this SQL Worm (hxxp://bbs.jueduizuan.com)

Source: SANS

Related posts:

• SANS solves mystery of mass Web site infections
• The Snare Of Unauthorized Requests
• Microsoft offers assistance to combat mass SQL injection
• Mass SQL injection
• Top Six Database Attacks

Yahoo is using McAfee’s SiteAdvisor to identify malicious websites. The Yahoo version, called SearchScan, will display a warning in the list of hits if potentially dangerous websites are found that fall into the categories dangerous downloads, risk of being hacked and unsolicited e-mails – indeed, Yahoo goes so far as to suppress from the hit list sites that are categorised as risk of being hacked.

As with most of the currently available link assessment systems such as McAfee’s SiteAdvisor, Finjan’s SecureBrowsing, and CAE’s LinkAdvisor, users should not automatically assume that links not flagged as malicious are always harmless. The flagging of suspect websites can help reduce the number of people who become infected with a Trojan via security vulnerabilities in their browser or add-ons when browsing the web. Importantly, the basic “red triangle” warning appears by a suspect listing in the Yahoo results whether or not JavaScript is enabled, so secure browsing does not prevent the message getting through. However, the information bubble and further details are only available if JavaScript is enabled.

Source: Heise Security

Related posts:

• Second mass hack exposed
• Javascript Malware Source Code
• Click here to become infected
• Advice for securing your site and your reputation
• ‘Pro-Tibet’ Rootkit Attacks Windows PCs

Unfortunately it was discovered that both functions fail to protect against shell command injection when the shell uses a locale with a variable width character set like GBK, EUC-KR, SJIS, ..

This can lead to arbitrary shell command injection vulnerabilities in PHP applications believed to be safe. In addition to that exploiting this problem in PHP functions that use this shell escaping internally allows safe_mode and disable_functions bypass.

Details:
escapeshellcmd()
escapeshellcmd() will put a single backslash character in front of every shell meta character like ; $ < > … to escape it. This function is normally used to ensure that only a single shell command is executed and that it is not possible to append further shell commands.

The problem is that the backslash character is a legal second byte of several variable width encodings. Because of this a shell that is for example configured to use a locale with the GBK character set will consider the introduced backslash as part of a multibyte character instead of an escaping of following meta character.

Example:
escapeshellcmd(”echo “.chr(0xc0).”;id”);

Executing the result of this will therefore result in echo and id being executed.

escapeshellarg()
escapeshellarg() does not use the backslash character to escape shell meta characters. Instead it places the argument in single quotes and only escapes single quotes in the qrgument with the string ‘\” . Because of this it is not possible to use the same trick. However in case there are multiple inputs it is possible to “eat” the terminating single quote which results in a shell command injection through the second argument.

Example:
$arg1 = chr(0xc0);
$arg2 = “; id ; #”;
$cmd = “echo “.escapeshellarg($arg1).” “.escapeshellarg($arg2);

In this example the 0xC0 character forms a multibyte character with the terminating single quote. Therefore the starting single quote of $arg2 will be used as terminating single quote and the content of $arg2 can be used to inject everything.

NOTE: This attack works because even invalid second byte characters are accepted on several platforms as valid.

safe_mode_exec_dir bypass
Because of the vulnerability described above, it is possible to bypass the safe_mode_exec_dir directive of PHP. This directive is supposed to ensure that only shell commands within the allowed directory can be executed.

This attack is however only feasible when the shell uses one of the vulnerable locales, because during safe_mode it is not possible to set the LANG environment variable that would influence the shell.

mail() fifth parameter - disable_functions bypass
Because of the vulnerability described above, it is possible to execute arbitrary shell commands on a system even when all shell execution functions like shell_exec(), system(), … are disabled by the disable_functions directive, but mail() is still allowed. This attack relies on the fact that the fifth mail() parameter is used as argument to the sendmail binary and escaped with escapeshellcmd() internally to ensure that no further shell commands are appended.

Because PHP scripts can influence the locale of the shell (unless running in safe_mode) this attack allows bypassing the setting of disable_functions when a vulnerable locale is installed on the system. In case the system’s shell does not support one of the vulnerable character sets the attack is not feasible.

Read the rest of the story…

Related posts:

• WordPress PHP Code Execution and Cross-Site Scripting
• sqlninja 0.2.2 Released - SQL Injection Tool
• PHP Weak Random Number Seed Vulnerability
• PHP 5.2.6 plugs security holes
• Cross-Site-Scripting with Morse code

Unfortunately it was discovered that the GENERATE_SEED() macro contains several problems that can lead to a weaker seed than expected. In the worst case the seed is directly predictable, which allows to predict all random numbers from the outside.

NOTICE: Neither rand() nor mt_rand() produce cryptographically secure random numbers and should therefore never be used for such applications.

ATTENTION: This vulnerability was not mentioned in the security changelog of PHP 5.2.6

Details:
PHP uses the following macro on the first usage of rand() or mt_rand() within a PHP process to seed the different random number generators.

#ifdef PHP_WIN32
#define GENERATE_SEED() ((long) (time(0) * GetCurrentProcessId() \
* 1000000 * php_combined_lcg(TSRMLS_C)))
#else
#define GENERATE_SEED() ((long) (time(0) * getpid() * 1000000 \
* php_combined_lcg(TSRMLS_C)))
#endif

This produces a seed that depends on the unix timestamp, the process identifier the factor 1000000 and a value between 0 and 1 that itself depends on the current microsecond and the process identifier.

It should be obvious that this not cryptographically strong because the current unix timestamp is known to the attacker and only a part of the process identifier and the microsecond can be considered as entropy. However this macro contains two problems that weakens the produced seed. One affects 32 bit systems and the other only affects 64 bit systems.

zero factor problem
When you have a look on the code generated by the compiler you will see that it first multiplies the timestamp, process identifier and the numerical factor. This is performed in modular integer arithmetic. It was therefore evaluated how likely it is that the multiplication will result in a zero, because then the seed will be zero, too. (on older PHP versions the seed will be 1 for mt_rand() because the lowest bit will be forced to be 1)

1000000 is a number with its lowest 6 bits set to zero. Therefore the multiplication will result in zero if the timestamp and process identifier contain together 26 lower zero bits.

Because the process identifier cannot be influenced directly the timestamp is the easier part to influence. The timestamp has its 26 lower bits all zero once every 2.1 years. This means every 2.1 years there is a second in which the random number generator will be seeded with a seed of zero. An attack happening during this second on a freshly seeded random number generator (very easy to trigger on CGI installations) will therefore allow to predict all generated random numbers.

To overcome the “only once every 2.1 years” problem it is possible to use the lower bits of the process identifier in the multiplication. On some platforms (windows) the process identifier is for example always even which means on these platforms the attack is possible every 1.05 years. This can be further improved by sending more requests at the same time. They all will be handled by different process identifiers and by triggering enough requests the probability of for example 3 lower bits being zero is high. With 3 lower zero bits the attack is feasible every 3 months.

precision problem
On 64 bit systems a different problem arises from the multiplication. Because the multiplication is performed in 64 bit the result of the multiplication usually contains too many digits to be converted to a double without loss of precision. Therefore several lower bits of the results are usually lost during the conversion which results in a seed with zeroes in the lower bits. During our tests the lower 8 bits were most of the time zero.

This means the seed generated by GENERATE_SEED() is in the majority of invocations only 24 bit strong. This means that bruteforcing the seed on a 64 bit system should be done by first populating the higher bits to ensure the result is found faster.

Read the rest of the story…

Related posts:

• WordPress 2.5 Cookie Forging Explained
• Web bugs return using digital certificates
• Vulnerability in Google spreadsheets allows cookie stealing
• Targeted attacks using malicious PDF files
• Security Guru Gives Hackers a Taste of Their Own Medicine