12 total posts
Critical Unpatched Oracle Vulnerability
From SANS ISC Diary:
Oracles April "Critical Patch Update" listed a vulnerability in the TNS Listener services as one of the patched vulnerabilities. Sadly, it turns out that current versions of Oracle are not patched. Instead, the vulnerability will apparently only be fixed in future versions of the Oracle database. According to a statement from Oracle quoted by the discoverer of the vulnerability, the fix would have possible had stability issues for current versions of Oracle. 
The vulnerability was responsibly reported to Oracle back in 2008. Upon release of the April CPU, Joxean Koret, who originally found the vulnerability, came forward with additional details including a proof of concept exploit, fully expecting that a patch is now available.
So in short: We got an unpatched remote code execution vulnerability in all current versions of Oracle with proof of concept exploit code.
Joxean's details published after the CPU release also include some useful workarounds . Please refer to the post for details.
Critical Bug Reported in Oracle Servers
Vulnerability in Oracle Servers Fixed Only in "Future Versions"
Python-based malware attack targets Macs. Windows PCs also..
.. under fire
Experts at SophosLabs have identified a new malware attack that is targeting both Mac and Windows computers, exploiting the infamous Java security vulnerability that allowed the Flashback botnet to commandeer 600,000 Macs.
Internet users who visit compromised webpages may find themselves at risk of infection via a Java exploit that downloads malicious software onto their computer. Patches for the Java vulnerability have been available since February 14th for Windows, Linux and Unix computers and since early April for Mac users.
Nevertheless, there may still be some users who have not yet patched their computers - and are at risk of attack.
The latest malware attack exploits the Java vulnerability to download further malicious code onto the computer (Sophos products detect the attack as Mal/20113544-A and Mal/JavaCmC-A).
The malicious Java code downloads further code onto the victim's computer - depending on what operating system they are using. On Windows, the downloaded file will be detected by Sophos as Mal/Cleaman-B. On Mac OS X, the downloaded file (install_flash_player.py) will be detected as OSX/FlsplyDp-A.
This is not, however, the end of the story.
Continued : http://nakedsecurity.sophos.com/2012/04/27/python-malware-mac/
Fake "Security Update KB971033" Emails Point to Malicious
Vulnerabilities such as the one that affected the Windows Remote Desktop Protocol have made many users better understand the need for security updates. Cybercriminals have taken advantage of this and started sending their own "security update" notifications.
Hoax Slayer reports that an email with the subject "Security update KB971033 has been released" is currently making the rounds, landing in the inboxes of unsuspecting internauts.
After giving some decent advice on how to defend yourself against financial crimeware and identity theft, the fraudsters highlight the importance of security update products.
"We detected that you don't have installed Anti-spoofing update KB971033 from Microsoft, this update will protect you from accessing fake pages like phishing site by checking any accessed link without any delay in browsers and also will fix CVE-2012-3651 (Adobe auto-downloader) exploit, you can install it with just one click here ," reads part of the email.
Continued : http://news.softpedia.com/news/Fake-Security-Update-KB971033-Emails-Point-to-Malicious-Sites-266765.shtml
To make everything even more legitimate-looking, the notification informs recipients that sometimes, if the customer isn't careful during the automated installation process, some important updates may be skipped, thus exposing the computer to cyber threats.
Survey Finds Secure Sites Not So Secure
A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure.
The SSL Pulse project, set up by the Trustworthy Internet Movement, looks at several components of each site's SSL implementation to determine how secure the site actually is. The project looks at how each site is configured, which versions of the TLS and SSL protocols the site supports, whether the site is vulnerable to the BEAST or insecure renegotiation attacks and other factors. The data that the SSL Pulse project has gathered thus far shows that the vast majority of the 200,000 sites the project is surveying need some serious help in fixing their SSL implementations.
There is quite a bit of alarming data in what the project has gathered, and one of those pieces of information is that more than 148,000 of the sites surveyed are vulnerable to the BEAST attack, which was developed by researchers Juliano Rizzo and Thai Duong and disclosed last year. Their attack uses what's known as a chosen-plaintext attack against the AES implementation in the TLS 1.0 protocol and enables them to use a custom tool they wrote to steal and decrypt supposedly secure HTTPS cookies. The attacker can then hijack the victim's secure SSL session with a site such as an e-commerce site or online banking site.
Continued : http://threatpost.com/en_us/blogs/survey-finds-secure-sites-not-so-secure-042712
Related: Elgamal, Marlinspike join dream team tackling SSL screw-ups
Mobile malware increasingly delivered via social networks
The growing use of mobile devices to connect with social networks is fast becoming a preferred method for cyber criminals to spread malware, particularly on those devices running Android, say the results of AVG's Q1 2012 Community Powered Threat Report. [Screenshot]
Social networks have become a key source of information and communication. Twitter now has more than 140 million active users; and Facebook has over 845 million users, with some analysts expecting that figure to reach 1 billion this year. The result: targeting those who use Facebook is like targeting around 14 per cent of world's population or approximately 43 per cent of global internet users.
Consider also that there are over 300 million Android phones already activated, with over 850,000 Android phones and tablets added to that number each day, and it is clear these two trends combined result in a new threat: infecting Android devices using social networks.
Most mobile devices are tied into operator billing systems making monetization of malware a lot more effective than on traditional computer systems. All the attackers need to do is trick users to install a malicious app on their device through which they can then gather cash using the phone companies' billing systems by utilizing premium SMS services.
AVG's Report: Q1 2012 Community Powered Threat Report (pdf)
Free Ray-Bans and TOMS shoes scams hit Facebook
Have you seen a message on Facebook saying that free pairs of Ray-Bans or TOMS shoes are being given away to users?
Don't believe it.
The messages, which have become widespread, actually point to scams.
Here are some of the messages that are being seen on unsuspecting users' Facebook walls:
Get a Free Pair of Ray-Bans! (limited time only)!
Current Limited offer
To Celebrate the Summer, We are Giving Away Free Ray-Bans to All Facebook Users!
Get a Free Pair of Toms Shoes! (Limited Time Only)!
Current Limited offer
To Celebrate the Summer, Toms is currently giving away FREE pairs of shows to select facebook users for a limited time!
If you click on the links you will be taken to pages which try to trick you into sharing the link further amongst your Facebook friends. People's excitement over the possibility of a free pair of Ray-Bans sunglasses or a pair of shoes outweighs their common sense it seems.
Continued : http://nakedsecurity.sophos.com/2012/04/27/free-ray-bans-and-toms-shoes-scams-hit-facebook/
A 419 Scam and an Unintended Surprise
From the GFI Labs Blog:
Given the long history of advance-fee fraud, it is safe to assume that we're more or less aware (if not familiar) with what 419 scams are. For those who are not, 419 scams typically come to users in the form of an email, asking for either cash or personal information. They are otherwise known as Nigerian scams.
GFI Software Threat Researcher Robert Stetson spotted a 419 scam mail which has been around since 2007, is clearly back in business and whose website even managed to tangle itself up in confusion related to third-party advertising. [Screenshot]
' From: ASIA PACIFIC INT'L LOTTERY
Subject: Congratulations!!! You Won
Congratulations!!! Dear Lucky Winner,
ASIA PACIFIC LOTTERY 2012 WINNING NOTIFICATION
We are Pleased to inform you that your Email Address was selected among the winners of Asia Pacific International Lottery Promotion year 2012.
You have therefore been approved for a lump sum pay of US$ 1,000,000.00 (ONE MILLION UNITED STATES DOLLARS ONLY)
For more details visit our website below:
Kindly click on the weblink for full information and direction on how to redeem your cash prize.
Congratulations Once again !!!
Dr. Thanaporn Deng
President, Asia Pacific Lottery Organization.'
Clicking the link on the email body directs users to this fake lottery and scam website:
Continued : http://www.gfi.com/blog/a-419-scam-and-an-unintended-surprise/
Which Facebook Apps Steal Your Data (and How to Stop Them)
The biggest privacy problem with Facebook isn't Facebook itself, it's Facebook's apps. There are more than 500,000 games, puzzles, quizzes and other time wasters in the Facebook platform, many of which exist for the sole purpose of sucking data out of your account. Worse, these apps not only can access your information, they can also grab data from your friends' profiles, depending on their privacy settings. Thank you, obnoxious Farmville fans.
Facebook establishes limits about what data apps can access and what they can do with it, but they don't appear terribly motivated to enforce those rules. For example, in October 2010, ten popular Facebook apps were found to be slurping up user data in direct violation of Facebook's own terms. In response, Facebook removed some of those apps on a Friday, then reinstated them on the following Monday.
Now you can take matters into your own hands and find out who the real data vampires are. PrivacyScore from PrivacyChoice is a Chrome plug in that rates how each app deals with your data on a scale from 0 to 100. It can also do the same for Web sites. You can view these scores on the Web, on Facebook or, if you've installed the Chrome extension, by clicking the PS icon in the browser bar when you install an app.
Busted In 60 Seconds: Malware Reveals Itself In First Minute
"Nearly half of all malicious programs attempt to communicate out to the Internet in the first minute. Companies need to listen more closely to their networks"
There are telltale signs of malware communications, and organizations that monitor traffic on their networks can pinpoint nearly half of all infected computers within a minute of the system's compromise, researchers say.
Websense researchers Stephan Chenette and Armin Buescher took a random sampling of nearly 200,000 malicious programs and categorized them by behavior, including how the malware communicated over the network. Malware typically reaches out over the network to request commands from a command-and-control (C&C) server or to exfiltrate intellectual property or other sensitive corporate information, they said during a presentation at last week's SOURCE Boston security conference.
"If the point isn't the complete destruction of data, what's going to happen is that the attackers are going to install malware in the network and the malware will eventually communicate out," Chenette said.
Continued : http://www.darkreading.com/security-monitoring/167901086/security/security-management/232901106/busted-in-60-seconds-malware-reveals-itself-in-first-minute.html
Ghost of HTML5 future: Web browser botnets
During a presentation at the B-Sides Conference in London on Wednesday, Robert McArdle, a senior threat researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks. The new features in HTML5 - from WebSockets to cross-origin requests - could send tremors through the information security battleground and turn the likes of Chrome and Firefox into complete cybercrime toolkits.
Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.
Continued : http://www.theregister.co.uk/2012/04/27/html5/
New Google Easter Egg "destroys" search results
Google always seems to sneak in some cool Easter Eggs in their web site for people to discover. This week, yet another one of these hidden gems was found and it's an apparent tip of the hat to Blizzard's Starcraft game series.
All one has to do is type in "zerg rush" in Google's search box and the show starts. A bunch of yellow and red zeros with the Google logo font design start spreading themselves on the search results page and destroy those same results. You can click on the circles with your mouse cursor to destroy those circles yourself.
The Zerg are one of the alien races in the Starcraft series and the term "zerg rush" is one that is known in real time strategy game circles. It's used to describe a situation when any player tries to overwhelm his opponent with a mass of units during a multiplayer match.
Google stores your score for each "round" of play along with your "APM" (actions per minute) number, which is the number of times you click on the mouse to defeat those red and yellow foes. In the end, the circles then form two big "G" letters on the screen. You can also send your score to be displayed on your Google+ account.