14.4 C
London
Sunday, August 20, 2017
Home Tags Web Hosting

Tag: Web Hosting

Dreamhost, meanwhile, "will host any website as long as its content is legal."
Web hosting company Internet Nayana is paying a hacker 1.3 billion won in bitcoin after its servers were hijacked by a ransomware attack.
Talked scum down from $4.4m after they waltzed through unpatched legacy mess A South Korean web hosting company is forking out just over US$1 million to ransomware scum after suffering more than eight days of nightmare.…
Cybercriminals like to subvert legitimate online services like Google Docs and Dropbox to carry out their malicious activities.

The free website hosting company Wix is the latest addition to the list of services they’ve abused.Researchers from security company Cyren found that scammers were creating phishing sites designed to harvest Office 365 login credentials via Wix, which offers a simple click-and-drag editor for building web pages.

As typically happens with free services, the criminals are taking advantage of these tools to carry out their operations.[ 4 top disaster recovery packages compared. | Backup and recovery tools: Users identify the good, bad, and ugly. ]The phishing site looks like a new browser window open to an Office 365 login page.
In fact, it’s a screenshot of an Office 365 login page with editable fields overlaid on the image. Users would think the site is legitimate and enter the login credentials, except the information is entered into the fields on the overlay and not the actual Office 365 page.To read this article in full or to leave a comment, please click here
"Six ways Buzzfeed has misled the court... and a picture of a kitten."
A hacker is proving that sites on the dark web, shrouded in anonymity, can easily be compromised.   On Friday, the unnamed hacker began dumping a sizable database stolen from Freedom Hosting II onto the internet, potentially exposing its users.[ Expand your security career horizons with these essential certifications for smart security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]The hosting service, Freedom Hosting II, was known for operating thousands of sites that were accessible through the Tor browser; the "dark web" is essentially the encrypted network comprising Tor servers and browsers.

But on Friday, the service appeared to be down.
Its main landing page was replaced with a message saying that it had been hacked.To read this article in full or to leave a comment, please click here
The ShadowBrokers didn't break into the United States National Security Agency after all.

The latest research into the group of cybercriminals selling alleged NSA spy tools reinforced the idea that they'd received the classified materials from an insider within the intelligence agency, security company Flashpoint said. Analysis of the latest ShadowBrokers dump, which was announced earlier in the month on the blogging platform Medium by "Boceffus Cleetus," suggests the spy tools were initially taken directly from an NSA code repository by a rogue insider, Flashpoint said.

The company's researchers analyzed the sample file containing implants and exploits and various screenshots provided in the post and have "medium confidence" that an NSA employee or contractor initially leaked the tools, said Ronnie Tokazowski, senior malware analyst with Flashpoint. However, they were still "uncertain of how these documents were exfiltrated," he said. ShadowBrokers first began offering more than a dozen sophisticated tools for sale -- such as software for extracting decryption keys from Cisco PIX firewalls -- in underground marketplaces over the summer.

The post-exploitation tools, intended to give attackers a way to gain a foothold in the network or move around laterally after the initial breach, targeted flaws in commercial appliances and software.

The Cisco vulnerability (now patched) would have allowed attackers to spy on encrypted communications, for example. Flashpoint's investigators believe the files were taken from a code repository because the sample file was written in the Markdown, a lightweight markup language commonly used in code repositories to simplify how files are parsed. "Looking at the dump and how the data is structured, we're fairly certain it's from internal code repository and likely an employee or contractor who had access to it," said Tokazowski. When the first set of ShadowBrokers were put up for sale, there was speculation that attackers had either successfully breached NSA infrastructure or NSA operatives had mistakenly left sensitive files on a publicly accessible staging server.
Shortly afterwards, the FBI arrested NSA contractor Harold Martin for stealing government materials.
Some of the tools included in the ShadowBrokers dump were among the classified materials in Martin's possession, suggesting some kind of involvement with the theft and sale. While Flashpoint's Tokazowski rejected the idea that the cybercriminals had stolen the files directly through external remote access or discovered them on an external staging server, he did not draw any conclusions whether Martin was involved. While the contractor denies he gave anyone the files, it seems quite possible that someone else may have broken into his non-classified computer to steal the tools. The theft of the ShadowBrokers files overlap somewhat with former Booz Hamilton consultant Edward Snowden who stole thousands of NSA-related documents, but Flashpoint said there was nothing linking the theft of these tools with the former NSA contractor. "The close proximity of events raises the question if there were multiple insiders acting independently during 2013," Tokazowski said. Nation-state attacks and flashy attacks tend to consume most of the security attention, but malicious insiders pose a significant threat to enterprise networks because they already have access to sensitive data and systems. Most IT teams will never have to worry about dealing with a nation-state attack, but every single one of them has to face the prospect of an employee or an administrator going rogue and stealing corporate secrets or damaging the network. Mistakes as a result of careless insiders, such as when employees copy files for non-malicious reasons but the copies get stolen by adversaries, are also common. In the case of The ShadowBrokers, the contractor or employee may have had limited access to the tools since the implants and exploits released thus far appear to be all Linux- and Unix-based.

An insider with wider access would theoretically have been able to grab different types of tools. There's not enough evidence to understand the rogue insider's motivations for stealing the spy tools, but Flashpoint doesn't think it was money. The implants and exploits in this set appear to have been developed between 2005 to 2013, such as the ElatedMonkey exploit, which targeted a local privilege escalation flaw in a 2008 version of the web hosting control panel interface cPanel.

The attack tools are several years old, making it likely the NSA has already moved on to more modern exploitation tools.
If the insider wanted to sell them, the time to do so was shortly after the theft. "If The Shadow Brokers were trying to make a profit, the exploits would have been offered shortly after July 2013, when the information would have been most valuable," Flashpoint said.
The partnership between certificate authority Comodo and hosting panel vendor cPanel, enables a new AutoSSL feature that has already provided 5.8 million free SSL/TLS certificates. It's about to get a whole lot easier to deploy encryption across the we...
michaelreader comments 16 Share this story A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild. "It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important." As their names describe, privilege-escalation or privilege-elevation vulnerabilities allow attackers with only limited access to a targeted computer to gain much greater control. The exploits can be used against Web hosting providers that provide shell access, so that one customer can attack other customers or even service administrators. Privilege-escalation exploits can also be combined with attacks that target other vulnerabilities. A SQL injection weakness in a website, for instance, often allows attackers to run malicious code only as an untrusted user. Combined with an escalation exploit, however, such attacks can often achieve highly coveted root status. The in-the-wild attacks exploiting this specific vulnerability were found by Linux developer Phil Oester, according to an informational site dedicated to the vulnerability. It says Oester found the exploit using an HTTP packet capture, but the site doesn't elaborate. Attempts to reach Oester for additional details weren't immediately successful. This post will be updated if more information becomes available. The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available here, here, and here. Using the acronym derived from copy on write, some researchers have dubbed the vulnerability Dirty COW. Disclosure of the nine-year-old vulnerability came the same week that Google researcher Kees Cook published research showing that the average lifetime of a Linux bug is five years. "The systems using a Linux kernel are right now running with security flaws," Cook wrote. "Those flaws are just not known to the developers yet, but they’re likely known to attackers."
A destructive ransomware program deletes files from web servers and asks administrators for money to return them, though it's not clear if attackers can actually deliver on this promise. Dubbed FairWare, the malicious program is not the first ransomware threat to target Linux-based web servers but is the first to delete files.

Another program called Linux.Encoder first appeared in November and encrypted files, but did so poorly, allowing researchers to create recovery tools. After attackers hack a web server and deploy FairWare, the ransomware deletes the entire web folder and then asks for two bitcoins (around $1,150) to restore them, Lawrence Abrams, the founder of tech support forum BleepingComputer.com, said in a blog post. In the ransom note left on the server, attackers claim that before being deleted from the targeted server, the files were first encrypted and uploaded to another server under their control. "We are the only ones in the world that can provide your files for you!" the ransom note reads.

The payment must be made within two weeks, the note says. There is no evidence yet that attackers actually have copies of the deleted files, so users should think twice before paying.

The ransom note includes a contact email address but says questions like "can I see files first?" will be ignored. Many server operators may decide not to pay because websites typically have backup routines in place. Many web hosting providers also include daily or weekly backups as part of their service. Webmasters who run their own web servers should keep in mind that backups must be saved to an offsite location, not on the production server where they can be affected by a potential server compromise. Even with backups available, a ransomware infection should be cause for concern and should prompt the server administrator to investigate the weakness that allowed the server incident to occur in the first place. Possible causes include vulnerabilities in the website or stolen administrative credentials.