Industry News

World Bank Hack
A group of hackers has reportedly broken into 18 servers at World Bank last July. No sensitive information was accessed during that cyber attack, though security experts doubt those claims since advanced attackers may be able to steal data without a trace depending on the audit levels. Also, 5 of the 18 servers that were compromised did contain sensitive information. The attack started with a compromised administrator account in Lotus Notes and originated from IP addresses in China, though the Chinese are not suspected as the attackers.
http://www.usatoday.com/money/industries/banking/2008-10-12-world-bank-hackers_N.htm
http://www.darkreading.com/document.asp?doc_id=165712&WT.svl=news1_1

WiFi Cracking
The password cracking software company Elcomsoft has released a new version of a WPA/WPA2 wifi encryption key cracking software. The software uses NVidia GPUs to speed up the cracking process by 100-fold. This is similar to their previous use of the NVidia GPU for password cracking and will speed up the process from years to days or weeks. This mainly affects static keys, and not the more complex authentication and encryption used in corporate wifi networks.
http://securityandthe.net/2008/10/12/

DarkMarket Was FBI Sting
DarkMarket was an underground site for online criminals to traffic stolen information including credit cards and identity information before recently being shut down. A German radio network has discovered documents that show the site has been run by the FBI for the past two years as part of a sting operation. The documents reveal that J. Keith Mularski, a senior cybercrime agent based at the National Cyber Forensics Training Alliance, ran the site. The FBI used the site to collect information on its members and track their online activities.
http://blog.wired.com/27bstroke6/2008/10/darkmarket-post.html

Real World Attacks
Secunia has performed a set of 300 test attacks against multiple popular security software platforms to see which ones pick up real world attacks. The tests included attack code delivered as documents, images, and malicious web sites. Out of 12 tools, only Symantec picked up 3% or more of these tests with a total of 21% detection. The weakness is that most tools depend on signature-based detection rather than behavioral detection. The biggest lesson learned from this exercise is to patch systems as quickly as possible since these products just won't fully protect a system.
http://www.computerworld.com/action/article.do?

Hijacked Emails
A luxury hotel owned by the Thompson Group is being extorted by a hacker who hijacked emails of the hotel's guests. The hacker told the hotel how he opened up a wifi access point and snooped on email traffic that took place. The hotel chain is now looking at methods to keep copycat hackers away from exploiting the same method.
http://www.vnunet.com/vnunet/news/2228134/blackmailing-hacker-hijacks

Security Industry Trails Hackers
A new report from Georgia Tech Information Security Center (GTISC) warns that the security industry is being outpaced by the hacking community. The report highlights five areas that need addressing: botnets, Web 2.0 attack, targeted messaging, telecommunications, and RFID hacking. Other notes are that the group believes that cellphones are the next target as becoming members of botnets, VOIP systems will get hit by blackmailing DoS attacks, and that the cybercrime economy will thrive.
http://www.vnunet.com/vnunet/news/2228330/security-industry-falling
http://www.darkreading.com/document.asp?doc_id=166029&WT.svl=news1_1

Flash Privacy
Many people know that cookies used in web browsers can leave behind traces of data that may cause privacy concerns. What many people don't know is that Adobe's Flash player has its own cache of cookies. They can't be deleted by your browser, have an unlimited max number of cookies, and will stay on your computer for an unlimited amount of time. It is estimated that Flash is installed on 98% of computers online.
http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/

Adobe Flash Patches
Adobe has patched five vulnerabilities for Flash, including one that was exploited in "clickjacking" attacks that were recently highlighted. The fixes were rolled into Flash Player 10, the newest version.
http://www.computerworld.com/action/article.do?

Gmail Spoofing
A member of the group GNUCitizen has claimed that using frame injection techniques in combination with a Google domain vulnerability, attackers can gain Gmail login credentials. He has released a proof-of-concept code that uses a 'targeturl' parameter to achieve the cross-site action. This attack can only be successful if an attacker can get a user to visit their customized web page.
http://www.scmagazineuk.com/Gmail-can-be-easily-spoofed/article/119425/

Warezov Botnet Active Again
SecureWorks is reporting that the Warezov botnet has become active again and this time it is using compromised Hotmail accounts to send its spam. It appears that whoever is behind the bot has defeated Hotmail's CAPTCHA system.
http://www.eweek.com/c/a/Security/Warezov-Botnet-is-Back-in-the-Spam-Game/