Welcome to our weekly network and information security (Infosec) news highlights. Typically, I deliver these security highlights as a short video. However, I’m traveling this week for both business and personal reasons, and was unable to produce the video version during my hectic travel schedule. The video will return next week from the Interop IT conference in Vegas. Until then, enjoy this text summary of the biggest Infosec stories from the week.
This week’s stories includes a big credential leak, the hijacking of a government web site, and news of a flaw in Google’s latest wearable computer. Read below for more details, and join us next week when the video version returns:
- Living Social breach leaks 50mil user credentials – Attackers breached Living Social’s network and made off with the personal info of 50 million users. The stolen information included things like your email address, date of birth, and your hashed password. Though the passwords were hashed, attackers can still leverage brute force attacks to figure out the weaker ones of the bunch. If you use Living Social, you need to change your password immediately. More importantly, if you use the same password at other sites, stop doing that and change your passwords there too.
- Latest on the mysterious Apache web site mass hijackings – Over the past few months, we’ve pointing out multiple incidents where thousands of Apache web servers were hijacked with a very sneaking backdoor. While researchers understood the complex backdoor attackers were injecting, no one really knew how attackers were initially gaining access to vulnerable sites (though many suspected Cpanel or WordPress vulnerabilities). In any case, ESET and Sucuri have released new research on the complex backdoor used in this attack campaign. It’s a very interesting read for the security conscious and a must-read for web administrators. Thanks to our friend and reader, Ryan, for pointing out this new research.
- Hackers pwn Google Glass – You’ve probably seen Google Glass; the latest wearable computer. It’s not really out yet, but a group of select developers with cash to spare have gotten their hands on preview copies of this interesting new product. This week, one of those developers have learned how to jailbreak or root the device. Jailbreaking or rooting are terms used to describe when a user gains full administrative control of a device that was somehow locked down by the manufacturer. Usually, the devices owner is the one that wants to root a device, in order to do things that the manufacturer didn’t originally intend. However, the techniques used to root devices often leverage software vulnerabilities, which attackers could also leverage to take full control of your device. Obviously, you don’t want that. In any case, Google Glass is really still in beta, and not available to consumers. I wouldn’t be overly worried about this supposed flaw, as I’m sure Google will correct it before the official release. Still, an interesting read.
- Reader vulnerabilities allows attackers to track PDF documents – Mcafee discovered an Adobe Reader flaw that attackers could leverage to find out when users open a particular Reader document, and what IP there are opening it from. This is not a critical issue, in that attackers can’t leverage it to execute code, but it does pose a privacy risk. There is no fix for the flaw yet, but you should expect one in an upcoming release.
- Chinese attackers force Department of Labor site to serve malware – According to Alienvault, the Department of Labor web site was hijacked by China-based attackers, and then forced to serve malicious code, which then tries to infect anyone that visits the site. The Department of Labor has since cleaned their site, but if you happen to have visited it lately you should definitely scan your computer for malware.
- Serious Flaw in IBM Notes – It’s hard for me to imagine anyone still using the Notes email client, but I have learned there are still some of you out there. This week, researchers reported a serious security flaw in this client, involving how it handles Java applets and javascript. IBM plans to fix the flaw soon, but until then you should disable javascript and Java applets in the Notes client.
- State-sponsered attackers breach US government defense contractor – Investigators find evidence of a long term breach of a US defense contracter that makes some pretty interesting defense and spy gear.
— Corey Nachreiner, CISSP (@SecAdept)
Encrypted commands via special HTTP GET requests, adding base64 encoded string during redirection, status report with ETag HTTP headers, storing code in shared memory, multiple stealth methods and especially unknown “way to break in” allow me to classify Linux/Cdorked.A as a “resident stealth remote controlled malware 0-day exploit hybrid”… 🙁 Can’t classify it more shorter, because it is out of typical trojan or exploit or 0-day or stealth virus.
But if speaking more seriously – one point don’t want to leave my head…Something IS TERRIBLY WRONG with this Cdorked long and mystery event. Maybe you will not share my assumption. But…why still is no any distinct information about the way in breaks in? Even if that malware clear logs after invasion procedure…thousands and thousands servers already infected, a number of antivirus vendors involved in “hunt for Cdorked”. But still no info about breaking in functions. Strange, very strange.
Encrypted commands via special HTTP GET requests, adding base64 encoded string during redirection, status report with ETag HTTP headers, storing code in shared memory, multiple stealth methods and especially unknown “way to break in” allow me to classify Linux/Cdorked.A as a “resident stealth remote controlled malware 0-day exploit hybrid”… 🙁 Can’t classify it more shorter, because it is out of typical trojan or exploit or 0-day or stealth virus.
But if speaking more seriously – one point don’t want to leave my head…Something IS TERRIBLY WRONG with this Cdorked long and mystery event. Maybe you will not share my assumption. But…why still is no any distinct information about the way in breaks in? Even if that malware clear logs after invasion procedure…thousands and thousands servers already infected, a number of antivirus vendors involved in “hunt for Cdorked”. But still no info about breaking in functions. Strange, very strange.