Wednesday, April 29, 2009

WV State Bar Data Breach

The WV State Bar reported yesterday that the Bar's website and servers on its internal network have been compromised. The compromised data might include members' names, mail and email addresses, lawyer identification numbers, and the Social Security numbers of some members and former members.

The Bar says there is no evidence that the information listed above has been used for identity theft or fraud, but that members who have concerns should check their credit reports.

The WV State Bar site remains offline this morning. The Bar has called in data forensics experts to try to determine the extent of the breach. They are in the process of rebuilding the site from scratch.

The Bar's website first showed signs of problems back in September when it was blocked by Google's Safe Browsing feature for serving malware. And I' ve posted about the Bar's website hosting malware earlier this month.

Thursday, April 23, 2009

Elite User Conference 2009 coming up Jun 9-11

Just saw a thread on the FWMI ProLaw Yahoo Group about the Elite User Conference 2009 coming up Jun 9-11 at the Hilton San Diego Bayfront in San Diego, CA. As in past years, Thomson is rolling Prolaw into the Elite Conference.

Thomson is offering Individual and Multiple Registration discounts:

Receive a $100 discount off the $1,495 Standard Registration Fee when you register before May 8th. That means you attend for just $1,395.

Multiple Registrations: Register multiple employees before May 8th and receive even more discounts. The second person you register pays only $1,095 and the third person pays just $795!

It would be nice to see Prolaw have its own user conference again. I'm not sure how useful the Elite Conference is to Prolaw users.

Labels: , ,

WV State Bar Site Remains Offline After Last Malware Infection

The WV State Bar site remains offline today. The site was taken offline last Friday, four days after it was discovered the site was hosting malware yet again.

In an email, the Bar published information the site would be offline for maintenance:

“SPECIAL EDITION BAR BLAST”

* wvbar.org is currently offline for maintenance
* For Casemaker access, click here - https://demo.lawriter.net - login and password are westva (lowercase)
* For registration & other inquiries regarding the 2009 Annual Meeting, please contact Cheryl L. Wright at
cheryl@wvbar.org or 304.558.0828
*For Information regarding pro hac vice admissions, please contact Cheryl L. Wright at cheryl@wvbar.org or
304.558.0828

This is the same information currently on the website at http://www.wvbar.org/. It appears the site has been taken down to fix whatever problem was causing the site to be compromised on an almost monthly basis.

While my firm has not reported any infections that can be traced to the Bar's website, it remains to be seen if others firms have been so lucky.

Labels: , , ,

Saturday, April 18, 2009

Microsoft April 2009 Security Bulletin Webcast Video

In case you missed it, here it is. I signed up for it, but had to miss it.






Get Microsoft Silverlight

Labels: ,

Video: Gozi trojan

A member of my team forwarded this video to me last week. (I'm sorry I can't embed the video. Embedding disabled by request) The video shows the Russian Business Network (RBN) partners HangUP Team and 76service subscription-based data mining service for stolen data gathered by the Gozi trojan.

It's another fascinating look a tool build for hacker by hackers for profit rather than fun. For another fascinating look at a current hacking tool, take a look at the GhostNet video I previously posted.

Labels: , ,

Tuesday, April 14, 2009

Microsoft Releases Patch Tuesday Advisory

There are eight patches on tap for tonight. Five are listed as Critical. Two are listed as Important. One is listed as moderate. They all may require restarts.

Labels: , ,

Monday, April 13, 2009

WV State Bar Site Infected with Malware

Google Safe Browsing is blocking access to www.wvbar.org this morning. The diagnostics pages lists 9 scripting exploit, 8 trojan.

Malicious software is hosted on 3 domain, including v3i9.cn/, nvi3.cn/, said7.com/.

One domain appear to be functioning as intermediaries for distributing malware to visitors of this site, including tejary.net/.

This site was hosted on 1 network(s) including AS7795 (NTELOSINC).

This is not the first time the WV State Bar site has been infected with malware. It happened the first time back in September of 2008.

Update: This issue got resolved overnight. The site isn't hosting malware now.

Labels: ,

Saturday, April 11, 2009

Twitter "StalkDaily Worm" (Updated)

Twitter is buzzing tonight with news of a fast spreading worm.

Here is a Postmortem of what's being called the “StalkDaily Worm” by Damon Cortesi: "What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com."

The Twitter security team has deployed a patch to stop the worm.

Update: F-Secure has a great update including screenshots.
Another Update: Mikeyy Mooney, the 17-year-old creator of StalkDaily.com claims responsibility for the worm. (Yes he spells his name with two y's).
Yet Another Update:
Twitter Mikeyy Hack - How to fix & avoid

Labels:

Understanding IPSEC

Wednesday, April 08, 2009

A piece of hacker history?

If this video is what it claims to be, it is truly a piece of his history. The poster of the video writes: "Steals a copy of SATAN, Dan's remote network security probing tool.

In the course of tracking the attacker(kevin), a great deal of network traffic was captured by a specially modified version of tcpdump (here's information on the legality of the acquisition of this evidence), and then a program written by Tsutomu was used to produce playable logs."

Kevin is Kevin Mitnick the famous hacker. Dan is Dan Farmer, one of the developers of SATAN (Security Administrator Tool for Analyzing Networks) and Tsutomu is Tsutomu Shimomura, the security researcher credited with tracking down Kevin Mitnick in 1995. Shimomura and New York Times reporter John Markoff wrote a book about Shimomura's pursuit and assistance in the arrest of Mitnick. The book is called Takedown and is a pretty good read, although most Mitnick supporters say the book is mostly a work of fiction and that Shimomura broke into his own computer in order to have an excuse to go after Mitnick.

This footage appears to be from Feb. 1995 while Tsutomu Shimomura was monitoring Mitnick and shows Mitnick actually breaking into Farmer's computer to steal a copy of SATAN.

It should be noted that Kevin says he simply copied software and that he never used any software he copied for any financial gain.

Labels: , , , ,

Sunday, April 05, 2009

Symantec Video: Using Backdoor.Ghostnet Toolkit for Attacks

Once the exe is built using Backdoor.Ghostnet and installed on the victim computer, it can be controlled using the toolkit built into Backdoor.Ghostnet. One of the tricks being used by attackers is to view the webcams of the victim computers and view the users actually sitting in front of their keyboards. Rather creepy. It doesn't appear there is anything keeping the attacker from turning on the victim computers built-in microphones as well.

Labels: ,