Good Morning, Captain: open IP ports let anyone track ships on Internet

While digging through the data unearthed in an unprecedented census of nearly the entire Internet, Researchers at Rapid7 Labs have discovered a lot of things they didn't expect to find openly responding to port scans. One of the biggest surprises they discovered was the availability of data that allowed them to track the movements of more than 34,000 ships at sea. The data can pinpoint ships down to their precise geographic location through Automated Identification System receivers connected to the Internet.

The AIS receivers, many of them connected directly to the Internet via serial port servers, are carried aboard ships, buoys, and other navigation markers. The devices are installed at Coast Guard and other maritime facilities ashore to prevent collisions at sea within coastal waters and to let agencies to track the comings and goings of international shipping. Rapid7 security researcher Claudio Guarnieri wrote in a blog post on Rapid7's Security Street community site that he, Rapid7 Chief Research Officer H.D. Moore, and fellow researcher Mark Schloesser discovered about 160 AIS receivers still active and responding over the Internet. In 12 hours, the trio was able to log more than two gigabytes of data on ships' positions—including military and law enforcement vessels.

For many of the ships, the vessel's name was included in the broadcast data pulled from the receivers. For others, the identification numbers broadcast by their beacons are easily found on the Internet. By sifting through the data, the researchers were able to plot the location of individual ships. "Considering that a lot of military, law enforcement, cargoes, and passenger ships do broadcast their positions, we feel that this is a security risk," Guarnieri wrote.

Read 4 remaining paragraphs | Comments

Admin beware: Attack hitting Apache websites is invisible to the naked eye

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle's Java, Adobe's Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they're infected.

"Unless a person really has some deep-dive knowledge on the incident response team, the first thing they're going to do is kill the evidence," Cameron Camp, a security researcher at Eset North America, told Ars. "If you run a large hosting company you're not going to send a guy in who's going to do memory dumps, you're going to go on there with your standard tool sets and destroy the evidence."

Read 7 remaining paragraphs | Comments