- Email: [email protected]
McCartney site hacked
NEWS/ VENDOR LIABILITY of the malware has been given different letters by different vendors. The variant referred to by Microsoft as Conficker.D is known as Conficker.C by others, for example. The meeting, conducted late last month in Florida, bought together some of the major players in the antivirus space, Abdulhayoglu said. However, both Symantec and McAfee were notable absentees. “It would be nice to have them and I am sure that they will come and join us at some stage, should they care about their users,” said Abdulhayoglu. “I am sure that they are just waiting to see how the organisation takes shape.” Microsoft is involved in the effort, he said, along with WebRoot. The consortium also includes some antimalware companies specific to China. Kingsoft, one of the largest Chinese antivirus companies, is involved. Another Chinese antivirus firm, Rising, has also declared its interest in the consortium.
McCartney site hacked
P
aul McCartney’s site was serving up the Zeus trojan for three days, according to UK security firm ScanSafe. The attack, in which paulmccartney.com was compromised with malicious Javascript, appears to have been tailored to coincide with interest in his New York reunion concert in early April.
Attackers embedded a malicious IFRAME into the site, along with malicious Javascript that used a unique multi-layer obfuscation attack, said ScanSafe’s director of product management Spencer Parker. “There is no other web site, of the billion or so we’ve visited as part of our service, that’s ever done something like this before,” Parker said. The Javascript used different character encoding to cloak itself, and also send an SSL certificate to the browser to encrypt its payload. The IFRAME and Javascript directed the victims’ machine to a single IP
Should vendors be liable for security flaws in software? By Carl Almond, senior director, Americas Security Practice, Avanade Integrating security into applications is an obvious thing, especially since most software bugs are usually the result of small errors in the code or oversights in the requirements. However, very few people have publicly asked the question: should the vendors who create software containing security holes be held liable for their oversights? With the National Security Agency, along with the SANS Institute and MITRE, highlighting the urgent need for a solution with their list of the top 25 most dangerous programming errors, companies and vendors need to pay more attention.1 Organisations need to start asking more questions about the security of commercial off the shelf software (COTS) and the custom applications that are developed specifically for them. According to a description of the Top 25 project by the SANS Institute, the avoidance of most of these errors is not widely taught by computer science programs, and their presence is frequently 4
Computer Fraud & Security
not tested by organisations developing software for sale. And, the impact of these errors can be huge. SANS says that just two of the errors led to more than 1.5 million web
address (84.244.138.55) based in Amsterdam, which has now been shut down. Reverse IP lookups reveal no information about the site, but it showed up on a malicious IP list. The IP address hosted the LuckySploit toolkit, which looks for multiple vulnerabilities on target machines, including the recently-patched Adobe PDF bug. Once a vulnerability has been found, the toolkit is believed to have delivered the Zeus trojan onto victims’ machines. The quick shutting down of the IP address, in conjunction with the reunion concert, suggests that the attack was designed to harvest the maximum possible amount of traffic. “They do time their attacks very well. When the hackers find a way to exploit one of these sites and get their code embedded on the page, they will always try and time that for maximum effect,” Parker said. “And like a lot of attacks at the moment, it’s based on embedding a very small amount of code on the site.”
Carl Almond
site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their machines into zombies.2 When discussing flawed applications and possible liability, it is necessary to separate the issue into two subcategories. First, there are COTS applications that are produced en masse and have been programmed with a set of general features in mind. These features may or may not be exactly what the consumer is looking for, but they generally fit the bill. In the case of COTS applications, each application comes with an End User License Agreement (EULA) that states the rules upon which the user gets access April 2009
McCartney site hacked
P
aul McCartney’s site was serving up the Zeus trojan for three days, according to UK security firm ScanSafe. The attack, in which paulmccartney.com was compromised with malicious Javascript, appears to have been tailored to coincide with interest in his New York reunion concert in early April.
Attackers embedded a malicious IFRAME into the site, along with malicious Javascript that used a unique multi-layer obfuscation attack, said ScanSafe’s director of product management Spencer Parker. “There is no other web site, of the billion or so we’ve visited as part of our service, that’s ever done something like this before,” Parker said. The Javascript used different character encoding to cloak itself, and also send an SSL certificate to the browser to encrypt its payload. The IFRAME and Javascript directed the victims’ machine to a single IP
Should vendors be liable for security flaws in software? By Carl Almond, senior director, Americas Security Practice, Avanade Integrating security into applications is an obvious thing, especially since most software bugs are usually the result of small errors in the code or oversights in the requirements. However, very few people have publicly asked the question: should the vendors who create software containing security holes be held liable for their oversights? With the National Security Agency, along with the SANS Institute and MITRE, highlighting the urgent need for a solution with their list of the top 25 most dangerous programming errors, companies and vendors need to pay more attention.1 Organisations need to start asking more questions about the security of commercial off the shelf software (COTS) and the custom applications that are developed specifically for them. According to a description of the Top 25 project by the SANS Institute, the avoidance of most of these errors is not widely taught by computer science programs, and their presence is frequently 4
Computer Fraud & Security
not tested by organisations developing software for sale. And, the impact of these errors can be huge. SANS says that just two of the errors led to more than 1.5 million web
address (84.244.138.55) based in Amsterdam, which has now been shut down. Reverse IP lookups reveal no information about the site, but it showed up on a malicious IP list. The IP address hosted the LuckySploit toolkit, which looks for multiple vulnerabilities on target machines, including the recently-patched Adobe PDF bug. Once a vulnerability has been found, the toolkit is believed to have delivered the Zeus trojan onto victims’ machines. The quick shutting down of the IP address, in conjunction with the reunion concert, suggests that the attack was designed to harvest the maximum possible amount of traffic. “They do time their attacks very well. When the hackers find a way to exploit one of these sites and get their code embedded on the page, they will always try and time that for maximum effect,” Parker said. “And like a lot of attacks at the moment, it’s based on embedding a very small amount of code on the site.”
Carl Almond
site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their machines into zombies.2 When discussing flawed applications and possible liability, it is necessary to separate the issue into two subcategories. First, there are COTS applications that are produced en masse and have been programmed with a set of general features in mind. These features may or may not be exactly what the consumer is looking for, but they generally fit the bill. In the case of COTS applications, each application comes with an End User License Agreement (EULA) that states the rules upon which the user gets access April 2009