Security researchers have uncovered a new web-based service containing security credentials for more than 8,700 websites belonging to Fortune 500 companies and government agencies. It allows miscreants to infect some of the internet's most popular destinations with a few clicks of the mouse.
According to security provider Finjan, the service categorizes the list of available sites by a variety of characteristics, including the country where they're hosted and their popularity. After paying a fee, criminals can select the domain they want to compromise and then use it as a means to infect vulnerable machines that later visit the site.

The service provides a menu of malware titles that can be pushed to unwitting visitors. It also allows miscreants to upload custom exploits, according to Yuval Ben-Itzhak, chief technology officer at Finjan.


In a sense, this crimeware as a service (CAAS) was inevitable. According to an earlier report from Finjan, more than 51 percent of websites that pushed malicious content in the second half of 2007 were legitimate destinations that had been commandeered by bad guys. The service is evidence that there's money to be made in automating that process - and one more sign that cyber-crime has grown into a full-fledged business where no opportunity to turn a profit is passed up.

Businesses using some of the more advanced methods for securing connections to Wi-Fi access points need to take a hard look at the configuration settings of client computers. So say researchers who have documented a simple way to impersonate trusted networks.

The attack works on access points that use the Wi-Fi Protected Access (WPA) in concert with Protected Extensible Authentication Protocol (PEAP) or other so-called Extensible Authentication Protocols (EAPs). Such technologies use public-key certificates to authenticate a trusted network to a laptop or other connected device and provide an encrypted SSL tunnel through which the two can communicate.

Problem is, laptops running Windows, OS X and various versions of Linux frequently have the security settings mis-configured, according to researchers Brad Antoniewicz and Josh Wright. Using a program called FreeRADIUS-WPE (short for FreeRADIUS Wireless Pwnage Edition), it's easy to dupe the clients into connecting to imposter networks and giving up critical information, they say.

The attack relies on a technology known as a wireless supplicant, which sits on the client and checks the validity of a network's credentials. All too frequently, the researchers say, it's not configured to validate a certificate at all, or at the very least, not to properly validate a server's RADIUS TLS certificate.