November 2011 - Mark Ciampa's Blog (Security+ 4ed)

Sort by: Most Recent | Most Viewed | Most Commented

  • Latest Attack: Scorching Printer Paper

    Two researchers claim that the Hewlett Packard (HP) series of LaserJet printers have a vulnerability that could allow attackers to take control of the printer, attack other computers, and even issue commands that could cause the devices to overheat and catch fire {Chapter 13 Security+ 4ed} . While HP acknowledges there is a vulnerability, they deny that it could be used to turn printers into fuel for bonfires. The vulnerability is in the LaserJet printer's Remote Firmware Update process. A printer could be tricked into accepting modified firmware by anyone who has access to it. By sending a maliciously crafted print job--either from a computer connected to it or even remotely through the Internet if it is configured that way—an attacker could steal data still contained in its memory, use the printer to launch attacks on other connected computers, or even issue a command that could cause the printer's fuser (used to dry ink) to heat up and cause the paper to catch on fire....
    Filed under: ,

  • Massive DDoS Attack

    A massive distributed denial of service (DDoS) attack {Chapter 3 Security+ 4ed} occurred earlier this month, according to Prolexic Technologies. The victim of the attack--conducted for over seven days in early November--was a large Asian e-commerce company and its domain name service (DNS) service provider. There were four consecutive waves launched from multiple botnets comprised of up to 250,000 zombies {Chapter 2 Security+ 4ed}, many of which were located in China. At the peak of the attack each SECOND the zombies made 15,000 connections to the company's e-commerce platform, sending 69 million packets and consuming bandwidth of 45 gigabits of traffic. It is not known who was behind the attack or the reason why. It could have been a competitor who wanted to take down the e-commerce company or even a foreign government (when large amounts of out-of-country Internet payments for e-commerce transactions occur the state is deprived of revenue from taxes). DDoS are still very common. According...

  • CIA Monitoring Social Networks

    A story appeared earlier this month from the Associated Press that said the U.S. Central Intelligence Agency (CIA) is using social networks {Chapter 14 Security+ 4ed} to monitor "real-time assessments of public sentiment during rapidly changing events around the world". According to the story the CIA is monitoring up to 5 million Twitter tweets each day as well as watching Facebook and blog postings. Calling themselves the "vengeful librarians", these CIA employees gather information in multiple languages to build a profile--in real time--of moods in different parts of the world. Their reports are part of the President's daily intelligence briefing. When Osama bin Laden was killed by a U.S. Navy SEAL team earlier this year in Pakistan tweets were monitored, categorized, and evaluated. They showed that a majority of the tweets in the official language in Pakistan (Urdu) were negative. In addition, Twitter Arabic and Turkish tweets were evaluated after the President...

  • Facebook Self-Inflicted Attacks

    If you're one of the more than 800 million Facebook users then you may have seen some shocking images this week. On Tuesday (Nov 15 2011) Facebook confirmed that it had been the victim of a "coordinated spam attack", similar to one that occured back in the spring when messages promising a video of the death of the Al-Qaeda terrorist Osama Bin Laden circulated. In this most recent attack sexually explicit pornography images as well as photos of animal abuse were spreading to member's pages. The attacks are based on what's being called a self cross-site scripting (XSS) browser vulnerability {Chapter 3 Security+ 4ed} or a self-inflicted JavaScript injection (the security research firm Zscaler has interesting information about how it works along with a test to perform to see if your browser is vulnerable at http://research.zscaler.com/2011/11/facebook-anatomy-of-self-inflicted.html). Users receive spam messages that promise a peek at an "exclusive video" or a...

  • Duqu Details

    Four years is a long time. Yet that may be the amount of time that attackers spent on creating and perfecting Duqu (see Nov 4 2011 blog). Security researchers at Kaspersky Lab have been examining Duqu based on samples provided by CERT (Computer Emergency Response Team) in Sudan that were used in three attacks against targets in that country earlier this spring. Kaspersky estimates that some of the Duqu components date as far back as 2007. An analysis of the attack indicates that the initial attack point was a spear phishing e-mail {Chapter 2 Security+ 4ed} from a pretender requesting a joint business venture. The recipient was asked to open a Microsoft Word e-mail attachment that used the font Dexter Regular and even had the company's name in the filename. When the victim opened the malicious attachment it exploited a zero-day vulnerability in the Truetype font to become active. Interestingly, it then did nothing until it detected there had been no keyboard or mouse activity for 10...

  • DNSChanger

    Domain Name System or DNS poisoning {Chapter 3 Security+ 4ed}, which substitutes a valid DNS IP address for a fraudulent address so that a request is redirected to another device, is a fairly common type of attack. Yesterday (Nov 9 2011) the FBI announced one of the biggest "takedowns" of a DNS poisoning attack that had infected over 4 million computers worldwide (with about half a million of those computers in the US) generating about $14 million. This FBI investigation, known as Operation Ghost Click, started back in 2007. Six attackers operating in Estonia and Russia were arrested yesterday by Estonian officials and will be extradited to the US. In addition, two data centers in New York City and Chicago were raided resulting in a command & control (C&C) infrastructure of over 100 servers being taken offline. Victim's computers were infected with malware called DNSChanger. This software redirected the computer to a rogue DNS server in one of two ways. First, it would...
    Filed under: ,

  • Duqu

    One of the most fascinating and potentially terrifying attacks of 2010 was the Stuxnet worm (see Sep 30 2010 and Oct 6 2010 blog postings). Now Stuxnet 2.0 is on the loose. This new threat is named Duqu [dyü-kyü] because it creates files with the file name prefix “~DQ”. Duqu is being called by some security researchers a “precursor” to a future Stuxnet-like attack. It appears that it was written by the same authors of Stuxnet (or those who had access to the Stuxnet source code). Its purpose is to gather information from indus­trial infrastructure and system manufacturers (such as design documents) in order to then launch an attack. However, unlike Stuxnet Duqu is not specifically targeted at industrial control systems and is not a worm that self-replicates. Duqu is a zero-day attack {Chapter 3 Security+ 4ed} that exploits a vulnerability in the Windows kernel. One successful attack version of the attack uses social engineering to trick users into opening...

  • You Call That A Vulnerability?

    A vulnerability in the social networking site Facebook was recently uncovered by a security researcher. Facebook denied that it was a vulnerability--but then they quietly fixed it. Facebook normally prevents one user from sending to another user an executable attachment by using Facebook's "Message" feature. Preventing sending files is for obvious reasons, from stopping spear phishing attacks {Chapter 2 Security+ 4ed} to the prevention of a general spread of malware. However, the researcher found that if a space was added following the filename attachment (such as changing it from "cmd.exe" to "cmd.exe ") then Facebook would in fact send the file (and the sender and recipient don't even have to be confirmed as friends). An unsuspecting recipient who accepted the file and then launched it would then become an unsuspecting victim. Facebook initially said that it wasn't really a vulnerability. Why? Because it would require both social engineering ...

  • Dump SSL Certificates?

    Certificates based on SSL form one of the bedrocks of Internet security {Chapter 12 Security+ 4ed}. That's why the recent thefts of certificates from DigiNotar (see Sep 7, 10, 13 & 23 2011 blog postings) and Comodo (see Mar 20 2011 blog posting) are so alarming. Now one security researcher is proposing drumping SSL certificates as we know them today and replacing the system with a completely different approach. This researcher is calling his plan "Convergence". Today we have a hierarchical or a distributed trust model {Chapter 12 Security+ 4ed}: an SSL server certificate signed by a certificate authority or CA {Chapter 12 Security+ 4ed} is recognized by the your browser based on code created by the browser vendors. In contrast Convergence uses "crowd-sourcing". Users can query other users or organizations whom they trust to vouch for the validity of SSL certificates. These "notaries” that you contact tell you if they believe the certificate is valid...