Archive for February, 2012

Truth about the March 8 Internet Doomsday

Monday, February 20th, 2012

While it’s true some users may lose their Internet access next month, it’s not the FBI’s fault

Heard the one about the FBI shutting down the Internet next month?

Like many memes before it, this dire warning is floating around blogs and sites. It even names a date: March 8 as the day the FBI might “shut down the Internet.” But relax, that’s not really the case.

While yes, an untold number of people may lose their Internet connection in less than three weeks, if they do they only have nefarious web criminals to blame and certainly not the FBI.

If people end up in the dark on March 8 it’s because they’re still infected with the malware the FBI started warning people about last November when it shut down a long-standing Estonian Web traffic hijacking operation that controlled people’s computers using a family of DNSChanger viruses. The malware works by replacing the DNS (Domain Name System) servers defined on a victim’s computer with fraudulent servers operated by the criminals. As a result, visitors are unknowingly redirected to websites that distributed fraudulent software or displayed ads that put money into the bad guys’ pockets.

Here’s the worst part: The malware also prevents security updates and disables installed security software.

To help protect victims, the FBI replaced the rogue servers with legitimate ones — a measure the agency said would be in effect for 120 days. Had it not taken that step and simply shut down the bad servers back in November, infected computers would have been immediately blocked from Internet access.

So the current problem isn’t that the FBI will be shutting down the Internet when the 120 days runs out on March 8, it’s that many people and organizations haven’t removed the malware from their computers. In fact, as many as half of Fortune 500 companies and government agencies are delinquent in updating, according to some reports.

So how do you know if your computer or router is infected with DNSChanger?

The FBI says the best way to know is to have them checked out by a computer professional, which admittedly isn’t very helpful.

However, it does offer a resource paper PDF with guidance to make that determination yourself, although even if you find out your system is infected the FBI says you still need a pro to scrub your machine.

As another alternative, you can use the free Avira DNS Repair Tool to figure out if a computer is using one of the temporary DNS servers. Unfortunately, the tool only works on Windows and doesn’t actually remove the Trojan.

Indeed, removing the malware is a challenge, and many people will be cut off from Internet access on March 8, reports the security news site KrebsonSecurity. It also notes that the industry and law enforcement group DNSChanger Working Group (DCWG) has a site that can help people check whether their systems are infected.

To get help, network administrators can send a request to one of the members of the DCWG and home users can use the step-by-step instructions at the DCWG Web site to see if they’re infected with the DNSChanger malware.

If you determine your system is infected you can start from scratch and reinstall your operating system, or take the FBI’s advice and get help from a professional if you want to remain online after March 8.


Anonymous threatens to DDOS root Internet servers

Monday, February 20th, 2012

The threat from the hacktivist group is unlikely to be successful, said an expert

An upcoming campaign announced by the hacking group Anonymous directed against the Internet’s core address lookup system is unlikely to cause much damage, according to one security expert.

In a warning on Pastebin, Anonymous said last Thursday it would launch an action on March 31 as part of “Operation Global Blackout” that would target the root Domain Name System (DNS) servers.

Anonymous said the attack has been planned as a protest against “our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun”.

The DNS translates a Web site name, such as, into a numerical IP (Internet Protocol) address, which is used by computers to find the Web site.

The 13 authoritative root servers contain the master list of where other nameservers can look up an IP address for a domain name within a certain top-level domain such as “.com.”

The group said it had built a “Reflective DNS Amplification DDOS” (distributed denial-of-service) tool, which causes other DNS servers to overwhelm those root servers with lots of traffic, according to the Pastebin post.

But there are several factors working against the Anonymous campaigners, wrote Robert Graham, CEO of Errata Security.

“They might affect a few of the root DNS servers, but it’s unlikely they could take all of them down, at least for any period of time,” Graham wrote. “On the day of their planned Global Blackout, it’s doubtful many people would notice.”

Although there are 13 root servers, an attack on one would not affect the other 12, Graham wrote. Additionally, an attack would be less successful due to “anycasting,” which allows traffic for a root server to be redirected to another server containing a replica of the same data.

There are hundreds of other servers worldwide that hold the same data as the root servers, which increase the resiliency of DNS.

ISPs also tend to cache DNS data for a while, Graham wrote. ISPs may cache data for a day or two before needing to do a fresh lookup, a time period that can be set on servers known as “time-to-live.” It means that even if a root server was down, it would not necessarily immediately affect an ISP’s customers.

Lastly, root DNS servers are closely watched. If trouble started, the malicious traffic to the root servers would likely be blocked, with disruptions lasting a few minutes, Graham wrote.

“Within minutes of something twitching, hundreds of Internet experts will converge to solve the problem,” he wrote.


Congress passes bill that opens up TV spectrum

Saturday, February 18th, 2012

Tech groups praise a compromise that allows the FCC to set aside spectrum for unlicensed uses

The U.S. Congress has passed legislation that will allow the U.S. Federal Communications Commission to set aside a piece of unlicensed spectrum before new mobile spectrum auctions, despite opposition from some lawmakers who wanted all the available spectrum to be auctioned.

The spectrum provisions were attached to a bill, approved Friday by the U.S. House of Representative and Senate, that will extend payroll tax breaks.

Unlicensed spectrum is used for Wi-Fi and Bluetooth services, and many technology companies have been eying unlicensed spectrum in current television spectrum for so-called long-distance super Wi-Fi service. The spectrum provisions in the payroll tax bill will allow the FCC to conduct so-called incentive auctions, which would give TV stations that voluntarily give up spectrum part of the proceeds from an auction.

The bill passed Friday also would give a 10MHz block of spectrum — the so-called D block in the 700Mhz band — to public safety agencies for use in a nationwide mobile broadband network for police, firefighters and other emergency response agencies. The bill also provides an estimated US$7 billion from the proceeds of incentive auctions to build the nationwide network.

An alterative bill that was introduced by Republican Representative Greg Walden of Oregon, called the Jumpstarting Opportunity with Broadband Spectrum Act, would have required all new spectrum to be auctioned and would have prohibited the FCC from excluding carriers from bidding on spectrum for competitive reasons.

The provision barring the FCC from excluding bidders survived in the final version of the payroll tax bill that Senate and House negotiators agreed to Thursday.

Walden’s bill would have prohibited the FCC from attaching net neutrality provisions to future wireless auctions. That provision was stripped out of the bill passed Friday.

Several tech and consumer groups praised Congress for allowing the FCC to set aside unlicensed spectrum before new auctions.

“Congress’ rejection of a requirement that the FCC auction all newly available spectrum, including unlicensed spectrum, underscores the general understanding that unlicensed spectrum is vital to our Internet economy,” the Wireless Innovation Alliance, an unlicensed spectrum advocacy group, said in a statement.

CTIA, a trade group representing mobile carriers, said the spectrum provisions in the bill were “a resounding victory for consumers and the American economy.” The payroll tax bill will provide a significant amount of new spectrum for mobile voice and broadband service, the group said.

The spectrum provisions in the bill will be good for consumers and the mobile broadband industry, said Public Knowledge, a digital rights group.

The spectrum provisions mean that “all the people building and deploying the new super WiFi devices can keep doing so,” Harold Feld, Public Knowledge’s legal director, wrote in a blog post. “It’s a good day in policy land where everyone can claim some kind of win.”

The deal didn’t win universal praise, however. The incentive auctions won’t give mobile carriers enough spectrum to meet the skyrocketing demand for bandwidth from smartphone users, said Richard Bennett, senior research fellow and the Information Technology and Innovation Foundation, a tech-focused think tank.

Congress and the FCC will be “lucky” to get 60MHz of spectrum from the incentive auctions, he said. Mobile carriers have called for the FCC to free up 500MHz of spectrum, but TV stations and U.S. agencies will continue to hang on to spectrum they don’t need, he said.

“There’s a lot of congratulations in Washington today over the fine compromise that allowed incentive auctions to finally go forward, and half a loaf is certainly better than none,” Bennett added. “But we can’t keep doing spectrum allocation this way. The set-asides for defense and broadcasting aren’t defensible and we need a more rational approach to providing the greatest good to the greatest number of spectrum users.”


Breaches galore as Cryptome hacked to infect visitors with malware

Friday, February 17th, 2012

A breach that caused to infect visitors with virulent malware was one of at least six attacks reported to hit high-profile sites or services in the past few days. Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.

Cryptome, a repository of leaked documents and other information concerning free speech, privacy and cryptography, was attacked by hackers who left code on its servers that attempted to infect visitors using Windows PCs with a trojan spawned by the Blackhole Toolkit, the website reported on Sunday.

Cryptome founder John Young said in an e-mail that he believes the attackers were able to infect his website with a poisoned PHP file by exploiting a weakness in security or server software provided by Network Solutions, which hosts the Cryptome website.

“It is not yet clear how the attacker got past Network Solutions (our ISP)’s security which has been pretty good,” Young wrote in an e-mail to Ars. “A security expert sent a message just minutes ago which included a security scan of Cryptome which indicated the attacker likely knew how to bypass NetSol’s security with sophisticated tricks.”

The security expert said an exploit of the PHP management system gave attackers highly privileged write access to the Cryptome server’s document root. The attack was likely carried out by an automated script that swept large swaths of the Internet for vulnerable Web servers.

If the vulnerability that was exploited resides in the software Network Solutions provides its customers, other websites may be compromised by the same attack, said the security researcher, who asked to be identified as Lifeguard. A spokesman for Network Solutions didn’t immediately respond to requests for comment. Network Solutions customers who have recently experienced security breaches are encouraged to contact this reporter.

According to security firm Symantec, the Blackhole Toolkit exploits vulnerabilities in a variety of software packages running on Microsoft’s Windows operating system. The PHP code on Cryptome’s servers specifically excluded infecting machines using IP addresses from Google, presumably to keep the infection from coming to the attention of the company’s antimalware defenses. Indeed, Google’s safe browsing diagnostics for Cryptome showed no reports of compromise.

Word of the compromise came as at least five other high-profile sites and services were also reported to have had their security breached. They include government websites for Mexico and the state of Alabama, the Dutch ISP KPN, the UK arm of Ticketmaster, and the Microsoft store in India. Members of the loosely organized hacker collective Anonymous reportedly took credit for a denial-of-service attack that took out US government’s CIA website and then backed away from the claim.


Oracle claims new MySQL Cluster does 1 billion queries per minute—in NoSQL

Friday, February 17th, 2012

Oracle has announced the general availability of MySQL Cluster 7.2 as a GPL download, and claims to have achieved a benchmark of 1 billion queries per minute and 110 million updates per minute on an eight-server cluster. Those results, based on the flexAsynch test in the DBT-2 benchmark, were attained using a new NoSQL NDB C++ API.

Mikael Ronstrom, senior MySQL architect at Oracle, described the test rig for the benchmark in a blog post on February 15. He said that the server cluster used in the test ran on eight two-socket servers, each running one data node, “using X5670 with Infiniband interconnect and 48GB of memory per machine.” Ten other machines ran the flexAsynch queries against the cluster.

In the flexAsynch test, “each read is a transaction consisting of a read of an entire row consisting of 25 attributes, each 4 bytes in size,” he wrote. “flexAsynch uses the asynchronous feature of the NDB API which enables one thread to send off multiple transactions in parallel. This is handled similarly to how Node.js works with callbacks registered that reports back when a transaction is completed.”

The results were a eight-fold improvement from a similar benchmark ran by Oracle last year. But given that there aren’t any published results anywhere else for flexAsynch scores from any other vendor, it’s hard to say exactly what these results mean, or how the performance compares to other open-source NoSQL databases.


Citadel banking malware is evolving and spreading rapidly, researchers warn

Thursday, February 9th, 2012

Open-source development model is helping the Trojan’s creators patch bugs and add features faster

A computer Trojan that targets online banking users is evolving and spreading rapidly because its creators have adopted an open-source development model, according to researchers from cyberthreat management firm Seculert.

Called Citadel, the new piece of malware is based on ZeuS, one of the oldest and most popular online banking Trojans. ZeuS was abandoned by its creator in late 2010 and its source code leaked online a few months later.

Since its public release, the ZeuS source code has served as base for the development other Trojans, including Ice IX and now Citadel.

“Seculert’s Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011,” the security company said Wednesday in a blog post. “The level of adoption and development of Citadel is rapidly growing.”

Seculert has identified over 20 botnets that use different versions of this Trojan. “Each version added new modules and features, some of which were submitted by the Citadel customers themselves,” the company said.

The most interesting aspect of Citadel is its development process, which is similar to the ones behind community-supported open source projects. “Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement,” Seculert said.

Like its parent, Citadel is sold as a crimeware toolkit on the underground market. The tookit allows fraudsters to customize the Trojan according to their needs and command and control infrastructure.

However, the Citadel authors went even further and developed an online platform where customers can request features, report bugs and even contribute modules.

While analyzing different Citadel versions that were released in rapid succession, Seculert’s researchers spotted improvements like the use of AES encryption for configuration files, the blocking of antivirus websites on infected computers, the blocking of automated botnet tracking services and the addition of remote screen video recording capability.

The security company believes that the success of this Trojan could drive other malware writers to adopt the open-source model. “This recent development may be an indication of a trend in malware evolution,” Seculert said.


Crypto crack makes satellite phones vulnerable to eavesdropping

Thursday, February 9th, 2012
Crypto crack makes satellite phones vulnerable to eavesdropping

Layout of a geostationary orbit telephone network

Cryptographers have cracked the encryption schemes used in a variety of satellite phones, a feat that makes it possible for attackers to surreptitiously monitor data received by vulnerable devices.

The research team, from the Ruhr University Bochum in Germany, is among the first to analyze the secret encryption algorithms implemented by the European Telecommunications Standards Institute. After reverse engineering phones that use the GMR-1 and GMR-2 standards, the team discovered serious cryptographic weaknesses that allow attackers using a modest PC running open-source software to recover protected communications in less than an hour.

The findings, laid out in a paper (PDF) to be presented at the IEEE Symposium on Security and Privacy 2012, are the latest to poke holes in proprietary encryption algorithms. Unlike standard algorithms such as AES and Blowfish—which have been subjected to decades of scrutiny from some of the world’s foremost cryptographers—these secret encryption schemes often rely more on obscurity than mathematical soundness and peer review to rebuff attacks.

“Contrary to the practice recommended in modern security engineering, both standards rely on proprietary algorithms for (voice) encryption,” the researchers wrote in the paper. “Even though it is impossible for outsiders (like us) to decide whether this is due to historic developments or because secret algorithms were believed to provide a higher level of ‘security,’ the findings of our work are not encouraging from a security point of view.”

The GMR-1 standard uses an algorithm that closely resembles the proprietary A5/2 cipher once employed by cellphones based on GSM, or Global System for Mobile Communications. A5/2 was dropped in 2006 after cryptographers exposed weaknesses that made it possible for attackers with modest hardware to crack the cipher in almost real time.

The problem with a5-gmr, as the cipher in GMR-1 is known, is that its output gives adversaries important clues about the secret key used to encrypt communications, Benedikt Driessen, a Ph.D. student who co-authored the paper, told Ars. By making a series of educated guesses based on a small sample of the ciphertext, attackers can quickly deduce the key needed to unscramble the protected data.

“If the guess is correct and given enough equations, the equations can be solved to reveal the encryption key,” Driessen said.

He also faulted the algorithm for performing what’s known as clocking separately and generating output equations with a low algebraic degree, flaws that also diminish security.

a5-gmr-2, the cipher used in GMR-2 phones, is also vulnerable to cracking when adversaries know a small sample of the data before it was encrypted. Because data sent over phone networks contains headers and other predictable content, it is possible for attackers to exploit the weakness.

Phones under attack

It’s tempting for critics of the satphone standards to seize on the security-through-obscurity approach, which relies on the lack of documentation to prevent attacks. But in fairness to the engineers who designed it, the approach hasn’t completely failed. The new crack works only on the data sent from a satellite to a phone, making it possible to retrieve data from only one end of a conversation. What’s more, researchers have yet to reverse engineer the audio codecs used by the standards, so eavesdropping on voice conversations isn’t yet possible.

“Our claim is, (a) we can decrypt and the codec will be revealed shortly which allows full eavesdropping and (b) we can apply the attack to different channels (fax, SMS) for which we don’t even need a codec,” Driessen said. Satphones “are vulnerable because the protection-layer is worthless.”

Over the past couple of years, cryptographers have gradually whittled away at many of the algorithms protecting data sent by phones. Standards including GSM, DECT (Digital Enhanced Cordless Telecommunications), and GPRS (General Packet Radio Service) have all been targeted. Devices that are vulnerable to the latest attacks include the Thuraya So-2510 and the Inmarsat IsatPhone Pro.

The secret algorithms were analyzed by downloading publicly available firmware used by the phones, disassembling the code, and using some clever techniques to isolate the ciphers. The analysis techniques may prove valuable in exposing weaknesses in other encryption schemes as well.


Symantec code theft: Hackers ‘attempted extortion’

Wednesday, February 8th, 2012

Hackers tried to extort money in exchange for keeping source code private, security firm Symantec has said.

It comes as hackers made public emails from law enforcement agents posing as a Symantec employee.

Officials pretended to be the security firm in order to “offer” the hackers $50,000 (£32,000).

However, more source code has allegedly been released after negotiations apparently broke down.

Symantec said it had contacted US law enforcement after being approached by the hackers last month.

In a lengthy series of emails, law enforcement agents posed as a fake Symantec employee named Sam Thomas.

The character was involved in lengthy email discussions with hackers believed to be from India-based group the Lords of Dharmaraja, part of the wider Anonymous collective.

Agents, posing as Sam, told the hackers: “We can pay you $2,500 per month for the first three months.

“In exchange, you will make a public statement on behalf of your group that you lied about the hack (as you previously stated).

“Once that’s done, we will pay the rest of the $50,000 to your account and you can take it all out at once. That should solve your problem.”

At one point, the hackers suspected FBI involvement, writing: “say hi to FBI agents”.

Stolen code

By the end of the email discussion, negotiations began to stall.

At 04:46 GMT on Tuesday, an account belonging to Anonymous suggested that more than a gigabyte of source code from the company’s PC Anywhere software had been uploaded to torrent website The Pirate Bay.

Symantec would not confirm that this was the case.

Symantec has released advice for businesses that rely on its PC Anywhere software

“In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession,” the company said in a statement.

“Symantec conducted an internal investigation into this incident and also contacted law enforcement, given the attempted extortion and apparent theft of intellectual property.

“The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation.

“Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.”

At risk

Last month, users of PC Anywhere software were told by the company to disable its use where possible.

The company confirmed that “old” source code stolen by the hackers had exposed vulnerabilities in the program which allows remote access to computers.

Other programs affected include Norton Antivirus Corporate Edition, Norton Internet Security and Norton Systemworks (Norton Utilities and Norton Go Back).

However, only PC Anywhere is said to be at risk. Symantec has been releasing patches and further information via its website.

Source:  BBC

PHP 5.3.10 fixes critical remote code execution vulnerability

Monday, February 6th, 2012

The vulnerability was introduced by the fix for a hash collision denial-of-service flaw

The PHP Group released PHP 5.3.10 on Thursday in order to address a critical security flaw that can be exploited to execute arbitrary code on servers running an older version of the Web development platform.

The vulnerability is identified as CVE-2012-0830 and was discovered by Stefan Esser, an independent security consultant and creator of the popular Suhosin security extension for PHP.

SecurityFocus classifies the issue as a design error because it was accidentally introduced while fixing a separate denial-of-service (DoS) vulnerability in early January.

That vulnerability is known as CVE-2011-4885 and was disclosed in December 2011 at the Chaos Communication Congress by security researchers Alexander Klink and Julian Wälde.

It affects a number of Web development platforms including PHP, ASP.NET, Java and Python and can be exploited in a so-called hash collision attack. The PHP development team addressed CVE-2011-4885 in PHP 5.3.9, which was released on Jan. 10.

“The fix for the Hash Collision DoS introduced a new directive (max_input_vars) to limit the number of accepted input variables,” said Carsten Eiram, chief security specialist at vulnerability research firm Secunia.

“However, due to a logic error in the “php_register_variable_ex()” function in php_variables.c certain cases are not handled correctly when the number of supplied variables is greater than the imposed limit,” he explained.

This error can be exploited by attackers to remotely execute arbitrary code on a system that runs a vulnerable PHP installation. PHP 5.3.9 along with any older versions for which the hash collision DoS patch was backported, are affected, Eiram said.

Proof-of-concept code that exploits this vulnerability has already been published online, so the likelihood of attacks targeting CVE-2012-0830 are high. Web servers administrators are advised to upgrade to PHP 5.3.10 immediately.


Facebook malware scam takes hold

Monday, February 6th, 2012

A link to malware purporting to be CNN coverage of a US attack on Iran is reaching hundreds of thousands of Facebook users

A “worrying number” of Facebook users are sharing a link to a malware-laden fake CNN news page reporting the U.S. has attacked Iran and Saudi Arabia, security firm Sophos said Friday.

If users who follow the link then click to play what purports to be video coverage of the attack, they are prompted to update their Adobe Flash player with a pop-up window that looks very much like the real thing. Those who accept the prompt unwittingly install malware on their computers.

Within three hours of the scam’s appearance, more than 60,000 users had followed a link to the spoofed CNN page, according to Sophos Senior Security Advisor Chester Wisniewski. Facebook removed that link, but others are still being shared.

“The bad guys are rotating through scam pages trying to stay ahead of Facebook,” Wisniewski said.

In a statement, Facebook said it was “in the process of cleaning up this spam now, and remediating any affected users.”

Wisniewski said there are a number of ways that status updates could appear without users’ knowledge. Their Facebook accounts could have been hacked, allowing a third party to update their status. It is also possible for scammers to exploit weaknesses in the social networking platform itself or in Web browsers to post a status update using JavaScript.

A representative status update shown in a screenshot on the Sophos blog reads, “U.S. Attacks Iran and Saudia Arabia. F**k 🙁 [LINK] The Begin of World War 3?”

Users who accepted the Flash player update prompt installed a fake antivirus tool on their computers. That tool would then alert them that their computer is infected with malware that can be eliminated for a fee. Such scams are one of the most lucrative, Wisniewski said, noting the irony that they net far more money than the legitimate security products Sophos and other security companies peddle.

In addition to exercising a healthy dose of skepticism that the U.S. would attack its ally Saudi Arabia, Facebook users can avoid the scam and others like it by updating Flash only from Adobe’s own website rather than from pop-ups.


Half of Fortune 500 firms infected with DNS Changer

Friday, February 3rd, 2012

Machines will be cut off from the Web next month, say experts

Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the “DNS Changer” malware that redirects users to fake websites and puts organizations at risk of information theft, a security company said today.

DNS Changer, which at its peak was installed on more than four million Windows PCs and Macs worldwide — a quarter of them in the U.S. alone — was the target of a major takedown organized by the U.S. Department of Justice last November.

The takedown and accompanying arrests of six Estonian men, dubbed “Operation Ghost Click,” was the culmination of a two-year investigation, although some security researchers have been tracking the botnet since 2006. As part of the operation, the FBI seized control of more than 100 command-and-control (C&C) servers hosted at U.S. data centers.

According to Tacoma, Wash.-based Internet Identity (IID), which provides security services to enterprises, half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbor one or more computers infected with DNS Changer.

IID used telemetry from its monitoring of client networks, as well as third-party data, to claim that at least 250 of the Fortune 500 companies and 27 out of 55 major government agencies had at least one computer or router infected with DNS Changer as of early this year.

The still-infected machines pose several problems, said experts.

“Initially, DNS Changer was worrisome because it could redirect you from a safe location to a dangerous one controlled by criminals,” said Rod Rasmussen, the chief technology officer of IID in an emailed statement. “However, the FBI temporarily fixed that. Now, the big worry is that machines that are still infected face a second vulnerability — they are left with little if any security.”

That’s because DNS Changer also blocks software updates — the patches vendors like Microsoft issue to fix flaws — and disables installed security software.

Others, however, have pointed out that computers still infected with DNS Changer have only weeks before they will be crippled.

As part of Operation Ghost Click, a federal judge approved a plan where clean DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software. Without that move, infected systems would have been immediately cut off from the Internet when the FBI seized the criminals’ domain servers.

But the ISC was authorized to maintain the alternate DNS servers only for 120 days, or until early next month.

“[The ISC] will shut down the [DNS] servers in March and anybody who is still using those servers will then lose access to the Internet,” said Wolfgang Kandek, chief technology officer of Qualys, in a Thursday post to that company’s security blog.

Qualys has added DNS Changer detection to its free BrowserCheck tool that runs on Windows PCs, while the umbrella organization DNS Changer Working Group — of which IID is a member — has created a website that steps users through the process of detecting infected PCs and Macs.


VeriSign, maintainer of net’s DNS, warns it was repeatedly hacked

Thursday, February 2nd, 2012

VeriSign, the company that manages a key internet database for routing traffic to websites and email addresses, exposed private information after being hacked on multiple occasions in 2010, the company quietly disclosed late last year.

While executives with the Reston, Virginia company said they don’t believe servers that maintain the DNS (domain name system) were breached, they couldn’t rule out the possibility. They also warned that they couldn’t guarantee steps taken to remediate the breach would succeed. What’s more, the attacks, which came to light in an article published by Reuters on Tuesday, didn’t come to the attention of managers in a timely manner.

“The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purposes of assessing any disclosure requirements,” VeriSign said in an Securities and Exchange filing in October. The tersely worded disclosure didn’t say how many incidents occurred, when they happened or what information was obtained by the attackers.

Ken Silva, VeriSign’s chief technology officer until November 2010, told reporter Joseph Menn he didn’t learn of the breaches until contacted by the Reuters journalist. Based on the vague language in the filing, Silva speculated that VeriSign executives “probably can’t draw an accurate assessment” of the damage.

Over the past few years, hackers have increased attacks on companies that help secure networks used by government agencies and corporations. Last March, RSA, whose two-factor SecurID tokens are used by 40 million employees to access sensitive networks, said a highly sophisticated hack exposed sensitive information that could compromise their effectiveness. A later attack on defense contractor Lockheed Martin was aided by the theft of the confidential data.

A raft of companies that issue SSL (secure sockets layer) certificates used to verify the authenticity of millions of websites have also been successfully targeted. Among them is DigiNotar, a Netherlands-based certificate authority whose digital imprimatur was used to mint counterfeit credentials used to spy on some 300,000 Google Mail users, most of whom were located in Iran.

Until September 2010, VeriSign ran its own certificate issuing business. A spokeswoman for Symantec, which purchased the operation from VeriSign, told Reuters “there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems.”