Hacking & Security
Server Root.cz začal vydávat seriál věnovaný tématům spojeným s internetovou bezpečností. První část tohoto projektu realizovala redakce Root.cz v roce 2013; CSIRT.CZ byl tenkrát hlavním partnerem. Nabídku spolupráce jsme využili i letos. V rámci tohoto pokračování se tak můžete těšit na naše příspěvky věnované OWASP a DNS Amplification útokům.
The rising intensity of POS threats has created a precarious environment for retailers looking to protect their customers’ financial and personal data. POS systems are increasingly becoming a soft target for hackers, which is why it’s more important than ever to consider the security of these machines and the information [...]
The post The Importance of POS Threat Analysis for the Retail Sector appeared first on InfoSec Institute.
In my last piece, I explained how Nintendo’s experiences with piracy and copy protection helped shape the current video game industry, where Sony has been a major player for nearly twenty years now. Technologies like the 10NES lock-out chip didn’t just help Nintendo and authorized thirdparty developers, they also benefitted [...]
The post The Fascinating Story of DRM: Part Two, The Origin of Launch Week Battle appeared first on InfoSec Institute.
About 100,000 or more websites running the WordPress content management system have been compromised by mysterious malware that turns the infected sites into attack platforms that can target visitors, security researchers said.
The campaign has prompted Google to flag more than 11,000 domains as malicious, but many more sites have been detected as compromised, according to a blog post published Sunday by Sucuri, a firm that helps website operators secure their servers. Researchers have yet to confirm the cause of the infection, but they suspect it's related to a vulnerability in Slider Revolution, a WordPress plugin, that was disclosed in early September. Update: In a new blog post published after Ars went live with this brief, Sucuri says it has confirmed the so-called "RevSlider" vulnerability is the culprit.
The in-the-wild attack observed by Sucuri causes infected sites to load highly obfuscated attack code on every webpage that includes the following:
Ačkoliv záplata pro zařízení QNAP, která řeší známou zranitelnost ShellShock, existuje již od října, stále je mnoho zařízení, na kterých nebyla aplikována. Důvodem je určitá obtížnost tohoto kroku z pohledu běžného uživatele.
Nový červ útočí na skript '/cgi-bin/authLogin.cgi', který je známým vektorem pro Shellshock na zařízeních QNAP. Skript je volán během přihlašování a proto je dostupný bez zalogování. Po útoku se pak jednoduchý shell skript postará o stažení a spuštění dalších kousků malware.
Kromě jiného je na napadeném zařízení na portu 26 spuštěno SSH a je přidán uživatel s administrátorskými právy pojmenovaný "request". Původní zdroj informace je dostupný zde.
Criminal hackers are actively exploiting the critical shellshock vulnerability to install a self-replicating backdoor on a popular line of storage systems, researchers have warned.
The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it.
"The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known vector for Shellshock on QNAP devices," Johannes B. Ullrich, dean of research at Sans, wrote. "This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware."
Over the weekend I received a nice holiday letter from lawyers representing Sony Pictures Entertainment, demanding that I cease publishing detailed stories about the company’s recent hacking and delete any company data collected in the process of reporting on the breach. While I have not been the most prolific writer about this incident to date, rest assured such threats will not deter this reporter from covering important news and facts related to the breach.
“SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen information, and to request your cooperation in destroying the Stolen Information,” wrote SPE’s lawyers, who hail from the law firm of Boies, Schiller & Flexner.
This letter reminds me of one that I received several years back from the lawyers of Igor Gusev, one of the main characters in my book, Spam Nation. Mr. Gusev’s attorneys insisted that I was publishing stolen information — pictures of him, financial records from his spam empire “SpamIt” — and that I remove all offending items and publish an apology. My lawyer in that instance called Gusev’s threat a “blivit,” a term coined by the late, great author Kurt Vonnegut, who defined it as “two pounds of shit in a one-pound bag.”
For a more nuanced and scholarly look at whether reporters and bloggers who write about Sony’s hacking should be concerned after receiving this letter, I turn to an analysis by UCLA law professor Eugene Volokh, who posits that Sony “probably” does not have a legal leg to stand on here in demanding that reporters refrain from writing about the extent of SPE’s hacking in great detail. But Volokh includes some useful caveats to this conclusion (and exceptions to those exceptions), notably:
“Some particular publications of specific information in the Sony material might lead to a successful lawsuit,” Volokh writes. “First, disclosure of facts about particular people that are seen as highly private (e.g., medical or sexual information) and not newsworthy might be actionable under the ‘disclosure of private facts’ tort.”
Volokh observes that if a publication were to publish huge troves of data stolen from Sony, doing so might be seen as copyright infringement. “The bottom line is that publication of short quotes, or disclosure of the facts from e-mails without the use of the precise phrasing from the e-mail, would likely not be infringement — it would either be fair use or the lawful use of facts rather than of creative expression,” he writes.
Volokh concludes that Sony is unlikely to prevail — “either by eventually winning in court, or by scaring off prospective publishers — especially against the well-counseled, relatively deep-pocketed, and insured media organizations that it’s threatening,” he writes. “Maybe the law ought to be otherwise (or maybe not). But in any event this is my sense of the precedents as they actually are.”
This is actually the second time this month I’ve received threatening missives from entities representing Sony Pictures. On Dec. 5, I got an email from a company called Entura, which requested that I remove a link from my story that the firm said “allowed for the transmission and/or downloading of the Stolen Files.” That link was in fact not even a Sony document; it was a derivative work — a lengthy text file listing the directory tree of all the files stolen and leaked (at the time) from SPE. Needless to say, I did not remove that link or file.
Here is the full letter from SPE’s lawyers (PDF).