Oracle

D.C. Insider Site NationalJournal.com Serving Malware

Watering hole -style attacks are all the rage these days, as our recent coverage on the attacks against Facebook and Twitter suggest. That makes us look askance at any report of a web site compromise – especially at a site that’s known to serve an audience that’s of interest to sophisticated, nation-state backed hacking crews.   That’s why it caught our attention this week that the web site for the DC-insider magazine The National Journal (nationaljournal.com) was found serving malware. According to a blog post by Anup Ghosh at the security firm Invincea, The National Journal’s Web site was serving up attacks to visitors of the site on Tuesday. The discovery was surprising, as the magazine acknowledged an earlier compromise on February 28th and said that it had since secured its site. That National Journal, part of The Atlantic Media Company, is widely read within Washington D.C.’s political circles. It […]

Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple

The attacks that compromised computer systems at Facebook, Twitter, Apple Corp. and Microsoft were part of a wide-ranging operation that relied on many “watering hole” web sites that attracted employees from prominent firms across the U.S., The Security Ledger has learned. The assailants responsible for the cyber attacks used at least two mobile application development sites as watering holes in addition to the one web site that has been disclosed: iPhoneDevSDK.com. Still other watering hole web sites used in the attack weren’t specific to mobile application developers – or even to software development. Still, they served almost identical attacks to employees of a wide range of target firms, across industries, including prominent auto manufacturers, U.S. government agencies and even a leading candy maker, according to sources with knowledge of the operation. More than a month after the attacks came to light, many details remain under tight wraps. Contacted by The Security […]

Are Mobile App Developers Prey In A Massive Watering Hole Attack?

Say you’re a “bad guy” and what you really want to do is compromise the systems of some high value targets – like software developers working a prominent, Silicon Valley firms like Facebook and Twitter.   Breaking through the front door isn’t easy – these companies mostly have the technology chops to protect their networks and employees. Phishing e-mails are also a tough sell: the developer community is heavy on Apple Mac systems and – besides – application developers might be harder to phish than your average Fortune 500 executive. A better approach might be to let your prey come to you – attacking them passively by gaining control of a trusted third party web site – a so-called “watering hole.” That’s a scenario that has played out in a number of recent, high profile attacks, such as the so-called “VoHo” attacks documented by Symantec and RSA. It may also be […]

Rush Job: Oracle Releases Fix For Critical Java Bug

Oracle Corp. has rushed out an update for its Java Standard Edition software after malicious hackers jumped on a security hole in widespread, web-based attacks. Oracle released Java Standard Edition Update 11 on Sunday, less than a week after news first broke that cyber criminals had woven exploit code for the security hole into push button “exploit kits” that are for sale in the cyber underground. The update fixes CVE-20130-0422, and Oracle urged Java users to apply the update as soon as possible. Java technology powers billions of laptop and desktop computers, as well as smart phones and embedded devices. However, the platform has been the subject of repeated, critical security holes. Most recently, in August, Oracle was forced to rush out a similar update – Java Standard Edition Update 10 – in the face of similar attacks on another security hole.  Attacks using the exploit were reported to be […]

Lights Out For Java: Experts Say Turn It Off – And Leave It Off

Security experts from around the globe are warning Internet users to disable Java while browsing the web, after attacks using a previously unknown (“zero day”) vulnerability in Java began to surface, as part of multi-purpose “exploit kits” that are used to launch attacks from hostile or compromised web sites. The exploit works on all versions of Java 7, including update 10 – the latest release from Oracle, which now manages the Java technology, after acquiring it with the assets of Sun Microsystems, according to an analysis by the firm Alienvault, which said that the exact nature of the vulnerability wasn’t known because the exploit was heavily obfuscated to slow down security researchers. According to this report from Krebsonsecurity, the first word of the new exploit came by way of underground forums, where the administrators of popular exploit kits like Blackhole and the Nuclear exploit kits added the Java exploit as […]