In this month 246 security incidents were reported to CERT-In from various National/ International agencies. As shown in the figure, 63 % incidents related to spamming were reported in this month. Other reported incidents include 18 % phishing incidents ,08 % virus/worm under the Malicious code category 07 % unauthorized scanning and 04% incidents related to technical help under the Others category.
In this month CERT -In tracked 19 C&C (Command & Control) servers and 35659 bot -infected computers existing in India . The concerned ISPs were intimated to dis -infect the bot infected systems and C&C servers to mitigate botnets .
| 570 Indian websites were defaced during January 2010. The vulnerabilities which might have been exploited for the defacements are : |
|
Vendor/Product |
Title of Vulnerability |
References & Patch Information |
| phpMyAdmin |
scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. |
|
| phpMyAdmin |
SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters. |
|
| phpMyAdmin |
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors. | |
| phpMyAdmin |
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a temporary directory with 0777 permissions, which has unknown impact and attack vectors. |
|
| PHP | Multiple Vulnerabilities in PHP |
|
| Microsoft -IIS | Remote Authentication Bypass Vulnerability in Microsoft IIS 6.0 WebDAV | |
| Apache | Apache "Options" and "AllowOverride" Security Bypass Vulnerability | |
| Joomla! | Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands | |
| Joomla! | SQL injection vulnerability in the JoomlaCache CB Resume Builder (com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands | |
| Joomla! | com_php for Joomla "id" Parameter Remote SQL Injection Vulnerability | |
| PHP | CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin | |
| PHP | Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 |
Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource.
CERT -In tracked 226 open proxy servers functioning in India during January 2010. All the concerned ISPs were alerted immediately to shut down the open proxy servers. A bar chart of open proxy servers tracked during this year is shown in the figure.
Statistics of Open Proxy Servers tracked during Jan 2010
CERT-In is tracking malicious web sites/URLs on regular basis. In this month CERT-In tracked 433 websites infected with malicious contents. A user visiting these websites/URLs is redirected to malicious sites which downloading malicious code such as virus, worm, trojan. keylogger, rootkit on to the user's computer.
The website owners are informed to remove the infection from these websites and are advised to strengthen the security of their websites.
Statistics of WCMP tracked during Jan 2010
CERT-In has observed that commonly used programs such as Adobe PDF Reader ,Adobe Flash and Microsoft office are exploited widely to steal data from the target computers and also to install back doors through which the attackers can gain control for further exploitations. Most of the times this is happened when users visit infected websites. The infected machines are further used as a medium to propagate the infection to other internal computers. By exploiting vulnerabilities such as SQL injection and XSS flaws, trusted websites are converted to malicious websites serving content that contains client side exploits.
CERT-In has observed targeted attacks in social networking sites like twitter ,Facebook etc. Problems have been created with short URLs since they eliminate the user's ability to read the real web address and decide if a link is safe to follow.
Workshop on" Computer Forensics : Seizing & Imaging of Digital Evidence" on January 04, 2010
Workshop on “Computer Forensics : Seizing & Imaging of Digital Evidence ” has been conducted on January 4, 2010. The aim is to create awareness within the officials from Law enforcement agencies with respect to issues in seizing & imaging of digital evidence through hands-on practicals. Delegates were from All state police departments and Cyber crime cells.
Workshop on" Data Centre Security " on January 15, 2010
A Workshop on “Data Centre Security” was conducted on January 15, 2010. The aim is to create awareness within the Central/State Government and critical sector organisations owning Data Centers on securing Data Centre with latest techniques and methodologies. Delegates were from State Government Departments/Ministries, PSUs and Critical sector organisations.
Workshop on" Network Security " on
January 28-29, 2010
The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during January 2010 and their countermeasures along with wide-spreading malicious code like virus/ worm/Trojan are given below:
Microsoft Internet Explorer Remote Code Execution Vulnerabilities
Multiple Vulnerabilities in Mozilla Products
Multiple Vulnerabilities in Adobe Flash player and AIR
Multiple Vulnerabilities in various Oracle products
Multiple Vulnerabilities in Adobe Shockwave Player
W32/Zimuse
Worm:Win32/Zumes.A (Microsoft), W32/Zimuse(McAfee,
Symantec),Trojan.Generic.1729691 (BitDefender), W32/Threat-SysVenFakP-based!Maximus (F-Prot)
January 27, 2010
Trojan Hydraq
TROJ_HYDRAQ.A [Trend], Win32/Enuairs.A( eTrust-Vet), Backdoor:Win32/Mdmbot.B (Microsoft), Trojan.Hydraq (PCTools) , CC.Agent.BA(Ikarus)
January 18, 2010
Worm Qakbot
Trojan.Spy.Shoe.B (BitDefender) , Win32/Qakbot!generic (CA) , W32/Pinkslipbot (McAfee) ,Trojan-Spy.Win32.Botinok.a (Kaspersky) , Mal/Qbot-B (Sophos) , W32.Qakbot (Symantec) Backdoor.QBot.F (VirusBuster) , Backdoor:Win32/Qbot.A (other),TrojanSpy:Win32/Botinok (other)
January 06, 2010
IE Windows vuln coughs up local files
[Source: theregister.co.uk] 27 January 2010
If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.
The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine's C drive, including files, authentication cookies - even empty hashes of passwords.
This isn't the first time security researchers at Core have identified security weaknesses in IE. The company issued this advisory in 2008 and this one in 2009, each identifying specific links in the chain that could potentially be abused by an attacker.
768-bit RSA cracked, 1024-bit safe (for now)
[Source: arstechnica.com] 07 January 2010
With the increasing computing power available to even casual users, the security-conscious have had to move on to increasingly robust encryption, lest they find their information vulnerable to brute-force attacks. The latest milestone to fall is 768-bit RSA; in a paper posted on a cryptography preprint server, academic researchers have now announced that they factored one of these keys in early December.
Most modern cryptography relies on single large numbers that are the product of two primes. If you know the numbers, it's relatively easy to encrypt and decrypt data; if you don't, finding the numbers by brute force is a big computational challenge. But this challenge gets easier every year as processor speed and efficiency increase, making "secure" a bit of a moving target. The paper describes how the process was done with commodity hardware, albeit lots of it.
Google, Adobe attacked through China
[Source: securityfocus.com] 13 January 2010
Google announced that the Internet giant is considering exiting the Chinese market after sophisticated online attacks targeted its systems to breach the Gmail accounts of pro-democracy activists.
In a post to its blog , the company stated that an investigation into an attack against the Gmail accounts of pro-democracy activists turned up evidence of a much broader assault against Google's systems. The attack -- first noticed in mid-December and considered "highly sophisticated and targeted" -- resulted in the "theft of intellectual property," the company stated. It's unclear from the statement whether the two Gmail accounts accessed by attackers constituted intellectual property.
As a result of the investigation's conclusions, Google intends to stop filtering its results in the Chinese market and open up a debate with the government to discuss its business, David Drummond, chief legal officer for Google, said in the blog post.
Firefox-based attack wreaks havoc on IRC users
[Source: theregister.co.uk] 30 January 2010
Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat.
Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has caused major disruptions for almost a month.
Amateur goof makes Twitter account hijacking a snap
[Source: theregister.co.uk] 22 January 2010
Twitter is sitting on an amateur configuration blunder that makes it trivial for attackers to take control of user accounts, a researcher said .
The error resides in an Adobe Flash object hosted on the microblogging site, said Mike Bailey, a senior security analyst with penetration testing firm Foreground Security. Contrary to Adobe recommendations, the object is free to load files hosted virtually anywhere on the net, including those containing booby-trapped javascript and action script.
"This is not Adobe's fault," Bailey told El Reg . "This is due to the fact that a lot of really bad programmers are coding Flash objects. I've seen literally hundreds of these things across the web."
Tor Project suffers hack attack
[Source: blogs.zdnet.com] 22 January 2010
The Tor Project, a service that provides privacy and anonymity to Web users, said hackers broke into two of its servers and used the CPU and bandwidth to launch additional attacks.
Tor project lead Roger Dingledine confirmed the hack in an e-mail that urged users to immediately upgrade to get fresh identity keys for the two compromised directory authorities.
Dingledine writes:
We took the services offline as soon as we learned of the breach. It appears the attackers didn't realize what they broke into — just that they had found some servers with lots of bandwidth. The attackers set up some ssh keys and proceeded to use the three servers for launching other attacks. We've done some preliminary comparisons, and it looks like git and svn were not touched in any way.
Microsoft knew of IE zero-day flaw since last September
[Source: blogs.zdnet.com] 21 January 2010
Microsoft admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.
The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.
The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.
Banking Trojan coming at you from all sides
[Source:.net-security.org] 21 January 2010
Using the very effective tactic of multiple attack vectors, the makers of the Zbot banking Trojan are ensuring a high enough infection rate for them to make profit.
A recent example of this has been registered by CA . A recently received email purporting to come from Fifth Third Bank asks the users to use an embedded link to login into their online banking account and check out "new security features":
If they follow the link, they are taken to a fake Fifth Third Bank website. When they enter their ID and password, it is automatically sent to a malware server.
Large-scale attacks exploit unpatched PDF bug
[Source : computerworld.com] 7 January 2010
A week before Adobe is scheduled to patch a critical vulnerability in its popular PDF software, hackers are actively exploiting the bug with both targeted and large-scale attacks, a security researcher said today.
The SANS Institute's Internet Storm Center (ISC) reported Monday that they'd received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14 . Later last month, Adobe said it would not patch the bug until Jan. 12. In his write-up of the sample, ISC analyst Bojan Zdrnja called the attack PDF "sophisticated" and its use of egg-hunt shellcode "sneaky."
"Egg-hunt shellcode" is a term for a multi-stage payload used when the hacker can't determine where in a process' address space the code will end up.
Hacker pierces hardware firewalls with web page
[Source : theregister.co.uk] 06 January 2010
A hacker named Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.
By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.
54% of companies planning to deploy mobile antivirus in 2010
[Source: securecomputing.net.au] 08 January 2010
More than half of companies are planning to deploy mobile anti-virus products and services this year.
According to the second part of the Mobile Security 2009 Survey by Goode Intelligence, 54 per cent of the organizations surveyed plan to deploy mobile anti-virus products and services, with 33 per cent planning to deploy mobile anti-virus products and services by March 2010. The remaining 67 per cent plan to deploy by September 2010.
The survey reveals that while nearly 71 per cent of organisations currently feel that the threat from mobile phone viruses is low, this number drops significantly for the perceived threat by 2011, with only 21 per cent believing the risk to be low and 29 per cent forecasting that the risk will be high or very high.
France considers tax for Google, Yahoo and Facebook
[Source: news.bbc.co.uk] 08 January 2010
A report, commissioned by the government, suggests firms such as Google, Yahoo and Facebook should pay a new tax on their online ad revenues. The money could be used to fund legal alternatives for buying books, films and music on the internet. But critics say the tax would be difficult to implement and Google says it could slow down innovation.
President Nicolas Sarkozy has taken a tough line on the increasing dominance of digital content. France has just introduced tough new legislation aimed at removing those who persistently download illegal content from the net. It has also gone head-to-head with Google over its plans to digitise the world's books, with a project to set up its own digital library financed by the government to the tune of £700m. And it is considering a law which would give net users the option to have old data about themselves deleted.
The clash between virtualization and compliance
[Source: infoworld.com] 11 January 2010
Everyone loves new technology that actually makes it easier keep the joint running. When a technology like virtualization comes along, which fully exploits hardware and makes scaling a much simpler, people flock to it. But how many are aware they might be violating compliance requirements?
Specifically, I'm talking about the PCI DSS (Payment Card Industry Data Security Standard), probably the most stringent set of mainstream compliance regulations in effect. Though imposed by the credit card industry, not the government, PCI DSS stipulates fines for certain violations -- not to mention the far worse threat of having your authorization to process credit card transactions revoked.
ISPs could cut spam easily, says expert
[Source : news.techworld.com] 18 January 2010
Two simple techniques could be used to strangle botnets, a security expert has claimed. First, block email port 25 by default. Second, tell users when they are spewing spam from compromised PCs.
According to Trend Micro's CTO, Dave Rand, who is leading a campaign to reform the way ISPs approach the matter of botnets and spam, the two countries that adopted such techniques, The Netherlands and Turkey, have seen a huge reduction in the numbers of botnetted PCs.
According to his own figures and analysis, Turkey went from having around 1.7 million compromised PCs per month to only 35,000 after implementing techniques through its major ISP, Turk Telekom.
General public more aware of security threats: RSA
[Source: securecomputing.net.au] 22 January 2010
Reporting on security concerns around social networking sites has led to an increased knowledge of online privacy.
A survey by RSA found that consumer awareness of phishing attacks has doubled between 2007 and 2009, and the number of consumers who reported falling prey to this attack increased six times during that same period.
In addition, while hundreds of thousands of people join social networking websites each day, the survey exposed that nearly two in three people who belong to these online communities indicated they are less likely to interact or share information due to their growing security concerns. Also, four out of five people using social networking websites displayed concern with the safety of their personal information online.
The number of people who were aware of phishing attacks has also doubled from 38 per cent to 76 per cent, while 89 per cent reported concerns caused by the threat of phishing.