Archive for October 2010

IT director gets jail term for hacking former employer’s site   Leave a comment

IDG News Service – A man fired as IT director for a Richmond, Virginia, seller of telecom equipment has been sentenced to 27 months in prison for hacking into his former employer’s website and deleting files, the U.S. Department of Justice said.

Darnell Albert-El, 53, pleaded guilty to one count of intentionally damaging a protected computer without authorization on June 29. He was sentenced Friday in U.S. District Court for the Eastern District of Virginia and, in addition to the prison time, ordered to pay US$6,700 in restitution to Trans Marx, which sells discounted telecom equipment and supplies.

Albert-El, of Richmond, worked at Trans Marx from February to June 2008, according to court documents. Before he was fired, Albert-El had access to the Trans Marx computer network, including the company website hosted in Georgia, the DOJ said.

On July 25, Albert-El used a personal computer and an administrator account to access the computer hosting the company’s website, and he deleted about 1,000 files related to the Trans Marx website, the DOJ said.

In his plea agreement and an earlier interview with U.S. Federal Bureau of Investigation agents, Albert-El said he deleted the files because he was angry about being fired, the DOJ said.

Albert-El later told Trans Marx employees where backup tapes were located and offered to assist them in restoring the files, said his lawyer, Mary Maguire, while arguing in court documents for a lenient sentence.

By Grant Gross


Posted October 29, 2010 by axxerainc in Uncategorized

Russian-Armenian botnet suspect raked in $140,000 a month   Leave a comment

IDG News Service – By all measures, Georg Avanesov was very good at his job — until he was arrested earlier this week.

Just 27 years old, he had amassed a tidy fortune, allegedly running an efficient clandestine network of hacked computers around the world.

Those computers were infected with Bredolab, a piece of malicious software responsible for sending spam, conducting attacks on websites and enabling other cybercriminals to steal money from online bank accounts.

Avanesov allegedly rented and sold part of his botnet, a common business model for those who run the networks. Other cybercriminals can rent the hacked machines for a specific time for their own purposes, such as sending a spam run or mining the PCs for personal details and files, among other nefarious actions.

Dutch prosecutors believe that Avanesov made up to €100,000 ($139,000) a month from renting and selling his botnet just for spam, said Wim De Bruin, spokesman for the Public Prosecution Service in Rotterdam. Avanesov was able to sell parts of the botnet off “because it was very easy for him to extend the botnet again,” by infecting more PCs, he said.

Avanesov may have netted more money, in other ways.

“We don’t have more financial information about what he did,” De Bruin said. “Our investigation was focused on dismantling the network then getting a hold of our main suspect, but this criminal investigation hasn’t stopped yet. We hope to get a better picture of the money and his business relationships.”

As a result, Avanesov may have made millions in a career spanning more than a decade, according to a source close to law enforcement. He vacationed in the Seychelles with an attractive girlfriend and reportedly even had a side hobby as a DJ, the source said.

But Avanesov is now being held by Armenian authorities after a sting operation earlier this week by Dutch police and computer security experts with help from Russian authorities. He was arrested earlier this week after taking a late flight on Monday night from Moscow to Yerevan, Armenia’s capital.

The bust wasn’t supposed to happen that way, however, according to the source. Avanesov nearly got away.

Dutch authorities tried to lure Avanesov to Schipol airport near Amsterdam, where police there planned to follow him and wait until he took control of the Bredolab botnet, bust down the door and arrest him on computer hacking charges. He was expected to be on a flight into Schipol but never arrived.

“They [the police] were waiting for him, but he didn’t come,” according to the source.

In the meantime, the people in control of Bredolab had took noticed something strange was happening with their botnet. Around 2 p.m. CET on Monday, the Dutch High Tech Crime Team began taking over command-and-control servers used to issue instructions to the 29 million infected computers with help from the Dutch Forensic Institute, the Dutch computer emergency response team Govcert, and the security vendor Fox IT.

Bredolab used 143 servers that were part of a network run by LeaseWeb, one of the largest hosting providers in Europe. LeaseWeb had known of the problem since August and cooperated with the investigation.

As Bredolab was shut down, a denial-of-service attack — which involved bombarding servers with meaningless traffic to shut them down — was launched against the infrastructure used by the Dutch authorities. Some 225,000 computers were used in the attack, which actually slowed Internet service down in the Netherlands for a short time but was repelled within a couple of hours.

It isn’t easy to track down people who run botnets, as they use sophisticated methods to keep from being identified. Botnet controllers — also known as “herders” — take up 20 measures to ensure their anonymity, said Ronald Prins, who helped with the takedown. But if one step is left out, it means investigators can grasp a thread. The trail led to Avanesov.

Armenia is detaining Avanesov, said Sona Truzyan, press secretary for the Prosecutor General’s Office, on Friday. The Netherlands has 40 days to file an extradition request, she said. De Bruin said his office is working on the request.

By Jeremy Kirk

Posted October 29, 2010 by axxerainc in Uncategorized

Hackers exploit newest Flash zero-day bug   Leave a comment

Computerworld – Adobe today confirmed that hackers are exploiting a critical unpatched bug in Flash Player, and promised to patch the vulnerability in two weeks.

The company issued a security advisory that also named Adobe Reader and Acrobat as vulnerable.

“There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat,” said Adobe in its warning. The company said it’s seen no sign that hackers are also targeting Flash Player itself.

Those reports came from Mila Parkour, an independent security researcher who notified Adobe early today after spotting and then analyzing a malicious PDF file. According to Parkour, the rigged PDF document exploits the Flash bug in Reader, then drops a Trojan horse and other malware on the victimized machine.

Adobe said that all versions of Flash on Windows, Mac, Linux and Android harbored the bug, and that the “Authplay” component of Reader and Acrobat 9.x and earlier also contained the flaw. Authplay is the interpreter that renders Flash content embedded within PDF files.

Last month, Parkour uncovered a bug in Reader’s font-rendering technology that was exploited by attack campaigns using bogus messages from renowned golf coach David Leadbetter as click bait.

Today’s vulnerability, however, is more reminiscent of one reported in June that also involved Authplay. Adobe issued an emergency patch for Flash Player within a week, and followed with a fix for Reader and Acrobat two weeks later.

Adobe will patch this newest bug in a similar fashion. Today it promised to issue a fix for Flash by Nov. 9, and updates for Reader and Acrobat the following week.

Danish vulnerability tracker Secunia ranked the Flash flaw as “extremely critical,” its highest threat ranking, and said criminals could use it to compromise systems and execute malicious code.

Security experts have regularly criticized Adobe Flash’s security, with some questioning the company’s decision to integrate the media player’s capabilities within the almost-as-popular Reader. Adobe has countered those arguments with its own, saying that many users rely on the functionality.

Until a patch is available, users can protect themselves from active attacks by deleting the “authplay.dll” file that ships with Reader and Acrobat. It gave the same advice in June when the earlier Flash vulnerability was reported.

Dumping authplay.dll, however, will crash Reader and Acrobat or produce an error message when the software opens a PDF file containing Flash content.

Today’s Flash flaw disclosure was the second Adobe’s acknowledged since the technology was ported to Google’s Android operating system two months ago.

Although Adobe tries to hew to a quarterly patch schedule for Reader and Acrobat, it’s repeatedly been forced to scuttle those plans to issue rush fixes for critical bugs. The next regularly-scheduled Reader update was not supposed to land until Feb. 8, 2011.

At times, Adobe has abandoned scheduled Reader updates after shipping an “out-of-band” patch, but that’s unlikely here as the company is in the early days of its next patch cycle.

By Gregg Keizer

Posted October 29, 2010 by axxerainc in Uncategorized

Koobface worm targets Mac users on Facebook, Twitter   Leave a comment

Computerworld – A new variant of the Koobface worm that targets Mac OS X and Linux as well as Windows is spreading through Facebook, MySpace and Twitter, security researchers warned today.

Antivirus firms first reported the malware, dubbed “Boonana,” on Wednesday when Intego and SecureMac, two Mac-only security vendors, warned Mac OS X users that the worm was aimed at them.

Boonana spreads via messages posted to social networking or microblogging sites. Those messages bait the trap with the subject “Is this you in the video?” and a link to a malicious site. People who bite and click the link are then prompted to run a Java applet.

That applet is key to the malware’s cross-platform capabilities, said Symantec in a note posted to its research blog.

“The [malware] is written in Java, which is a platform independent language,” said Symantec researcher Jeet Morparia. “Individual modules contain Java compiled files, which are packaged in a Java runtime executable. As long as a computer has the Java Runtime Environment (JRE) installed on it, which is often the case across all the platforms, the threat can execute itself.”

Intego and Symantec noted that the worm includes several components, including an IRC connector used by the hacker to issue commands to hijacked computers, a keylogger to steal usernames and passwords, and a rootkit to hide it from security software.

Functionally, Boonana works the same as the better-known Koobface Windows worm. Koobface has been actively infecting Windows PCs for more than two years, although virulent forms used in large-scale attacks didn’t appear until early 2009.

Koobface, an anagram of Facebook, is best-known for infecting PCs through spammed messages on the giant social networking service.

According to Symantec, Boonana includes a component that reads browser cookies of users logged into Facebook, then posts additional bogus messages and links on the site using those Facebook accounts.

A Facebook spokesman downplayed the threat, saying in an e-mail reply to a request for comment that it was a “small-scale attack.” As is its practice, Facebook has blocked access to accounts compromised by Boonana in an attempt to quell the malware outbreak.

Marc Fossi, the director of Symantec’s security response team, echoed Facebook, saying that his group had tracked a number of infection attempts, but that the number was “not in epidemic proportions.”

The important element in Boonana, Fossi continued, is its cross-platform infection ability, courtesy of Java, which is installed on many Windows, Mac and Linux machines. Such threats are rare, he added, as he cited the one example he was familiar with. “I recall [just] one piece of malcode from a few years back that affected Windows and OS X, but I believe it was proof of concept and didn’t really go anywhere,” he said.

Mac OS X has bundled an Apple-maintained version of Java for years, but last week the company announced it was “deprecating,” or dropping it, from OS X. Java is also out as a development platform for the upcoming Mac App Store, according to Apple’s guidelines, and will probably not find a home in the next version of Mac OS X, dubbed “Lion” by CEO Steve Jobs during a sneak peak on Oct. 20.

For Dino Dai Zovi, a noted Mac vulnerability and exploit researcher — and the co-author of the Mac Hacker’s Handbook — Apple’s ditching Java can’t come too soon.

“Most Mac users do not need or even use Java, and [deprecating it] will make them safer than having a large window of vulnerability in a plug-in that is being actively attacked in the wild through exploits that can easily be adapted to target Mac OS X,” Dai Zovi said in an e-mail reply to questions about Java.

“It’s not worth the risk of having it enabled,” he added.

Fossi agreed. “It probably isn’t a bad idea” for Apple to drop Java, he said.

Apple’s operating system rival has said it’s seen an “unprecedented wave” of Java exploits in the last nine months. Last week, Microsoft’s malware group announced that Java exploits had skyrocketed recently, booming from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter.

Posted October 29, 2010 by axxerainc in Uncategorized

Paperless e-voting a concern this election, say watchdogs   Leave a comment

Computerworld – Some election watchers are expressing concern over the fact that about one in four registered voters in next week’s general elections will be casting their ballots using electronic voting machines that offer no verifiable paper records.

Paperless direct-recording electronic voting systems have drawn flak in past elections for being unreliable, too hard to audit and too prone to all sorts of tampering.

Such concerns have prompted 32 states and the District of Columbia to pass laws mandating the use of voting systems that support voter-verified paper records over the past few years.

Election officials in another six states have adopted similar systems even though they are not required by law to do so.

However, six states — Delaware, Georgia, Louisiana, Maryland, New Jersey and South Carolina — still use paperless e-voting systems statewide, according to a tally maintained by the election watchdog Verified Voting Foundation. In Indiana, Pennsylvania, Texas, Tennessee, and Virginia, direct-recording electronic voting systems account for a vast majority of voting systems.

In addition, paperless voting systems are in use to varying degrees in several other states, including Kansas, where at least 40% of the vote is paperless, according to Verified Voting.

The problem with using paperless voting systems is the relative difficulty of verifying the accuracy of electronic tallies, said the watchdog group’s president, Pamela Smith.

Voter-marked paper ballots that are scanned and tallied by electronic systems, along with paper copies of electronically cast votes, together give election officials a reliable way to verify the accuracy of tallies, she said. “Paper enables the properties of recounting that we need right now,” Smith said.

The fact that electronic voting systems can run into technical issues and are susceptible to tampering makes the need for a paper trail all the more important, said Bo Lipari, founder of New Yorkers for Verified Voting.

In November 2006, for instance, paperless touch-screen voting machines used in a congressional district race in Sarasota County, Fla., came under intense scrutiny after 18,000 ballots didn’t record a vote in a tight race that was decided by a mere 369 votes.

The incident prompted calls by lawmakers for a review of paperless e-voting systems, and for the use of systems that produced a paper trail of every vote.

Last year, California officials disclosed that they had discovered numerous software errors and data deletion functions in e-voting systems, after nearly 200 votes were deleted from the official results for Humboldt County during the 2008 presidential elections.

Over the past few years, security researchers have also reported various flaws in e-voting systems that they have claimed make the systems easy to compromise.

One of the most sensational was a report by researchers at Princeton University that showed how attackers could install vote-stealing code in an electronic voting machine in less than a minute.

“The problem when you are dealing with pure software is that you really have no way to verify if the software has been operating correctly,” Lipari said. “We know software can be hacked and that it has flaws and that programmers make mistakes.”

“We see it happening every year, and there is no way to verify the results you are getting from the software. You’ve got to trust it,” he said.

Since the Help America Vote Act (HAVA) was passed in 2002, most states have moved to systems that have some sort of a verifiable paper record, Lipari said. Some systems require voters to mark ballots and then scan them into an optical reading device, while others are direct-recording systems that generate paper copies.

“We have seen a lot of progress over the last four or five years,” Smith said. “But we still have nearly a quarter of the voters using some kind of paperless voting system.”

Merle King, executive director of the Center for Election Systems, a cooperative venture between Georgia’s secretary of state’s office and Kennesaw State University, refuted the notion that paperless systems are inherently unreliable.

Most arguments for paper-based systems are based on the assumption that credible auditing has to always be centered on paper, he said.

“I think the notion that electronic systems are not auditable would come as a shock to every accounting firm, every auditing firm, the federal government, the airline industry and all who have paperless systems,” King said. “The notion that paper equals auditability is old-fashioned at best and ill-informed overall.”

Most election fraud has historically happened with paper ballots, which even today is more prevalent with mail-in absentee ballots, he said.

Likewise, concerns about the security of e-voting systems are somewhat misplaced, King argued. In many cases where researchers have broken into voting systems, the models that were used to simulate hacking have been divorced from how the systems are used in an actual election, he said.

The real question should not be about just how well-protected e-voting systems are, but rather how easy it is to detect tampering, King said.

Posted October 29, 2010 by axxerainc in Uncategorized

A peek into Google’s anti-malware operation   Leave a comment

Google goes to great lengths to secure its users from threats lurking on the Web, because a half-hearted effort would soon drive them out of business.

But, during his presentation at the SecTOR security conference in Toronto, Google security researcher Fabrice Jaubert revealed that sometimes even seemingly good methods are thwarted by careless users.

Take the warning page that Google presents to users when they try to access a website that is likely to harm their system as an example. It used to be that it contained a button which allowed them to proceed to the page and, surprisingly enough, 95 percent of the users would do just that – despite the warning.

So the company changed it, and now users must copy-past the URL of the offending page directly into the browser’s address bar if they want to access it – an extra step that hopefully allows their better judgement to kick in.

According to eSecurityPlanet, Jaubert says that Google distinguishes three kinds of malicious sites: phishing, spamming, and those serving malware. Phishing and spamming sites are usually removed from Google’s index, but only some types of malware sites receive the same treatment.

A likely reason behind this decision is that lately the criminals seem to prefer compromising legitimate websites instead of creating their own distribution pages in order to peddle their wares – as confirmed by Jaubert.

To find these sites, Google uses a massive number of virtual machines running unpatched Windows and Internet Explorer browser and out-of-date plug-ins, with which they visit potentially malicious websites. They also use the Firefox browser for testing, but Jaubert notes that new malware is usually first detected for IE, because it is still the most widely-used browser.

Using the data received with this type of testing and coupling it with data gathered by its site crawling mechanism, conclusions on whether a site is potentially malicious or not are reached and this knowledge is fed into a number of Google tools developed to help users (Safe Browsing API) and administrators (Google Webmasters, Safe Browsing Alerts for Network Administrators) avoid malware risks.

Posted October 29, 2010 by axxerainc in Uncategorized

Firefox extension makes social network ID spoofing trivial   Leave a comment

A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook’s changing privacy settings and various privacy breaches simply miss the point.

“When it comes to user privacy, SSL is the elephant in the room,” said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can “sniff out” the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user.
“As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed,” explains Butler. “Double-click on someone, and you’re instantly logged in as them.”

It is not that this was impossible to do before the advent of Firesheep, but it included the use of some knowledge that average Internet users didn’t have. “Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” says Butler.

Whether he will succeed in pointing out the need of full end-to-end encryption and spur websites into action, it remains to be seen. Among the websites whose cookies Firesheep can identify are Facebook, Flickr,,, Google, Twitter, Yahoo, WordPress, and many others.

As I write this, the extension has been downloaded some 8,000 times, and the number is rising by the second. Wouldn’t it be amazing that an action such as this could bring about the realization of a more secure Internet?

Posted October 27, 2010 by axxerainc in Uncategorized