26 total posts
For second time in a month, Apple blacklists Java Web plugin
For the second time in a month, Apple has effectively blacklisted the current version of the Java Web plugin on OS X. The block comes just days after it was discovered that the latest version of the plugin, which had been rushed out to patch a critical vulnerability, can still be exploited despite its heightened security mechanisms.
Apple has worked to distance itself from Java in recent years. The company deprecated its own version of the Java virtual machine for OS X, instead deferring development to Oracle itself. The browser plugin in particular has become a common vector for malware attacks, and Apple removed the Java Web plugin from recent versions of OS X last year. Those needing the plugin must install it separately.
Apple has also added additional security controls to OS X, including a mechanism that forces its Safari browser to use a minimum specified version of various plugins, such as Flash or Java. When security vulnerabilities are discovered in various plugins, Apple can update its Xprotect list to specify which version is acceptable. Earlier versions of plugins are then blocked from running within Safari.
Continued : http://arstechnica.com/apple/2013/01/for-second-time-in-a-month-apple-blacklists-java-web-plug-in/
Also: Apple blocks Java on the Mac over security concerns
Yahoo Accounts Hijacked via XSS-Type Attack
From Bitdefender's "HOTforSecurity" blog:
Popular webmail provider Yahoo has been slammed with a new e-mail-based attack that seizes control of victims' accounts. Bitdefender Labs discovered the ongoing campaign today and are once again warning users about the dangers of clicking spammy links.
The account hijacking begins with a spam message with a short link to an apparently harmless session of the reliable news channel MSNBC (hxxp://www.msnbc.msn.com-im9.net[removed]).
A closer look at the real link reveals that the true domain is not part of MSNBC, but a crafty domain composed of subdomains at hxxp://com-im9.net.
Continued : http://www.hotforsecurity.com/blog/yahoo-accounts-hijacked-via-xss-type-attack-5172.html
Related: How Yahoo allowed hackers to hijack my neighbor's e-mail account (Updated)
Backdoor.Barkiofork Targets Aerospace and Defense Industry
From the Symantec Security Response Blog:
A few weeks ago, we observed a spear phishing campaign targeting groups in the aerospace and defense industry. We identified at least 12 different organizations targeted in this attack. These organizations include aviation, air traffic control, and government and defense contractors. [Screenshot]
In choosing their targets, the attackers identified individuals in important roles, including directors and vice presidents. The content of all the emails were identical. The attackers used a report published in 2012 regarding the outlook of the aerospace and defense industries as the lure. The intention of the attackers was to make it seem as though this email originally came from the company that authored the report. The emails were also crafted to look as though they were being forwarded by internal employees or by individuals from within the industries identified.
When the malicious PDF attached to the email is opened, it attempts to exploit the Adobe Flash Player CVE-2011-0611 'SWF' File Remote Memory Corruption Vulnerability (CVE-2011-0611). If successful, it drops malicious files as well as a clean PDF file to keep the ruse going.
Continued : http://www.symantec.com/connect/fr/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry
'Silent but deadly' Java security update breaks legacy apps
... - dev
An application developer reports that the latest Java 7 update "silently" deletes Java 6, breaking applications in the process.
Java 7 update 11 was released two weeks ago to deal with an unpatched vulnerability which had gone mainstream with its incorporation into cybercrook toolkits such as the Blackhole Exploit Kit in the days beforehand. Attacks were restricted to systems running Java browser add-ons.
But Oracle's response appears to have caused some collateral damage.
JNBridge, which provides Java and .NET interoperability tools, reports that customers of software providers who use its technology came a cropper in cases where users had applied the latest Java update (Java 7u11). The software developer blogged about the issue here.
Oracle has decided that, in order to fix extensively reported security problems, they will not only update Java 7 (their latest version of Java), they will also completely delete a completely separate product.
Worse, it appears that they are taking it upon themselves to replace installations of Java 6 with Java 7 even if the users have only Java 6 on their machines.
We followed up with Wayne Citrin, chief technology officer at JNBridge, who shed some light on the practical issues created by Oracle's recent Java update. "We provide a Java/.NET bridge, and one of the interoperability mechanisms allows the .NET and Java to run in the same process," Citrin explained. "To do this, the user needs to supply the absolute path to the jvm.dll file belonging to the JRE that they plan to use.
Continued : http://www.theregister.co.uk/2013/01/31/java_security_update/
More Facebook Graph Search Suggestions
From the F-Secure Antivirus Research Weblog:
Yesterday as I was testing Facebook's Graph Search, which is in Beta, I searched for the following: women who live in Helsinki, Finland and who like sushi. (I wanted something that would get lots of results. It did.)
At the end of the day, I cleared my search history.
Then today, a sponsored story for a Helsinki-based sushi restaurant appeared in my News Feed. [Screenshot]
Perhaps it's just a coincidence...
In any case, today, continuing my testing, I searched for people with my name who live in Finland. (The result: me and another guy.) Graph Search will definitely make it easier for your Facebook profile to be found by others.
Here's a couple of things to check on just to make sure you don't have anything exposed.
First of all, consider limiting all of your old posts. Most of the profiles that I've observed make good use of current privacy controls, but some have pre-2010 legacy posts which are public. [Screenshot]
Continued : http://www.f-secure.com/weblog/archives/00002495.html
Malicious Chrome extensions: a cat and mouse game
Google Chrome users are being targeted these days by a wave of attacks that uses malicious extensions hosted in the official Chrome Web Store. The attack appears to be of Turkish origin and is using Facebook to spread. We saw users of different nationalities infected with the malicious extensions, which the cybercriminals are sending to the official store regularly, in a cat-and-mouse game.
As we already reported in March 2012, Brazilian cybercriminals were able at that time to host a malicious extension in the Chrome Web Store. Since then in June 2012 Google has changed the way users can add third party browser extensions i.e. not allowing the installation that are not hosted on the official Web Store. More recently Google removed the possibility of silent installations, which has been widely abused by third parties.
Maybe for these reasons bad guys started to concentrate their efforts to upload bad extensions to the official store. Now it's the turn of Turkish cybercriminals; they were able to host several extensions there in the last few days.
Continued : http://www.securelist.com/en/blog/208194095/Malicious_Chrome_extensions_a_cat_and_mouse_game
Hacking The Laptop Docking Station
"Black Hat Europe researcher builds prototype device that could be used to steal corporate data, listen in on voice calls, videoconferences"
You know that docking station you snap your laptop into at the office? It can be hacked, too.
A British researcher next month at Black Hat Europe will show just how valuable those seemingly benign devices can be to a determined attacker targeting an organization or group of users. Andy Davis, research director for UK-based NCC Group, built a prototype hardware device that can easily be placed inside a laptop docking station to sniff traffic and ultimately, steal sensitive corporate communications information from the laptop.
"You see docking stations all over the place in organizations because people are using hot-desking type environments, so different laptops can be attached to them [the docks] each day," Davis says. "And they are considered a trusted part of the infrastructure: nobody thinks someone might tamper with one or swap one for another. Admins are more concerned with protecting your laptop: that's where the money is and the information."
Continued : http://www.darkreading.com/mobile-security/167901113/security/client-security/240147566/hacking-the-laptop-docking-station.html.html
Related: Laptop Docks Can Be Used for Hardware-Based Cyberattacks, Expert Says
Report: Mainstream Websites Host Majority of Malware
While Android malware continues to grow faster than other malware types, it still accounts for only a minute fraction of all malware on the Web, according to Cisco's annual security report released this week.
Compromised websites hosting malicious Java and iFrame attacks and other malware far and away outpaces all other delivery vectors for malware, Cisco's report said.
"These types of attacks often represent malicious code on 'trusted' webpages that users may visit every day— meaning an attacker is able to compromise users without even raising their suspicion," the report added.
Infecting benign sites with malware remains at the heart of malware propagation as attackers continue to find great success delivering malware over infected banner ads on Websites, malicious media files or redirects via iFrame
"Web malware encounters occur everywhere people visit on the Internet—including the most legitimate of websites that they visit frequently, even for business purposes," said Mary Landesman, senior security researcher with Cisco. "Indeed, business and industry sites are one of the top three categories visited when a malware encounter occurred. Of course, this isn't the result of business sites that are designed to be malicious."
Ticketmaster dumps 'hated' Captcha verification system
The world's largest online ticket retailer is to stop requiring users to enter hard-to-read words in order to prove they are human.
Captcha - which asks users to type in words to prove they are not robots trying to cheat the system - is used on many sites.
But Ticketmaster has moved to ditch it in favour of a simpler system.
It means users will write phrases, such as "freezing temperatures", rather than, for example, "tormentis harlory".
Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and was first developed at Carnegie Mellon university in 2000.
For sites such as Ticketmaster, Captcha is used to make sure robots are not used to buy up tickets automatically.
Continued : http://www.bbc.co.uk/news/technology-21260007
IE 10 more secure, so here's a tool to prevent updating..
IE 10 is more secure, so here's a Microsoft tool to prevent you updating by mistake
An alert writer over at the The Register has spotted a funny thing.
Microsoft just released a free tool to stop you upgrading to Internet Explorer 10 on Windows 7 and Server 2008 R2:
"Big deal," you say. "There is no IE 10 for Windows 7, so it doesn't sound like much of a tool to me."
Except, as The Reg points out, the availability of the tool is a sort of omen: it surely means that IE 10 for Windows 7 must be nearly ready to drop for real.
Ironically, then, Microsoft is making sure that as soon as IE 10 is ready, you're already ready to avoid it.
Sounds rather odd, but sysadmins in any but the smallest organisations tend towards trepidation over Internet Explorer updates, in case some legacy business application should go pear-shaped.
Continued : http://nakedsecurity.sophos.com/2013/02/01/ie-10-is-more-secure-prevent-update/
I wonder what the IE market share is these days
Carol, I see a lot of posts recommending Firefox and Chrome over IE here and in other places, and never see ones recommending IE. I remember Bob Proffitt saying he gave up on IE several years ago. So I'm wondering what the market shares are for these 3 browsers, would you happen to know the answer or where that info might be posted?
How about 10 years of stats?
I still use IE in a pinch when some site/app/thing doesn't work. For example I ran into some router that would not setup in FireFox or Chrome. It did in IE. I don't mind IE at all. But it's a target and after a decade it seems like they would have it nailed by now.
I think I know why it's taken this long. The goals at this company are not what they seem, unless you know what they are. It's not "security first" but something else.
Wow! 14.7% 2 months ago.
Thanks, Bob. That's a real surprise to me, I'd have guessed somewhere in the 50% range. And Chrome is ahead of Firefox 47% to 31%. That's another surprise to me, although I normally use Chrome to keep 9 CNET forums open. We still have to use IE for Windows updates, and I use it for the MS forums, but I've just run into too many IE bugs for much of anything else. I thought I was in the minority, but here I find it's not just us geeks who've switched.
MS will hype IE10, but in my limited use of it in my Windows 8 test computer, I don't see anything significant to me. And as of today, you will pay $199 for the Windows 8 Pro upgrade we paid $40 for yesterday ($119 for the basic version).
Interesting you asked ..
Only because I read the below just this morning, which touched upon the subject. Not quite sure if it's what you're looking for. Bob seems to have ....... delivered the goods!
IE breaks 55% market share as three-month old IE10 passes 1%; Chrome is only browser to decline
For the most part, I only use Internet Explorer for the monthly updates. And have done so for years. In a rare instance I'll use IE, when Firefox blocks me from completing a task. ⇐ ⇐ A good thing.
I continue to believe it's not about the browser, but the user. But then again, it's not what you asked.
If I find something more on the lines of what you asked, I'll post it here.
I hadn't seen your post when I submitted mine..
A result of (too much) multi-tasking.
Hmmm, that's a very large contrast to Bob's link
Carol, your link says IE has a 55% market share, Bob's says 14.7%. One of these has to be wrong! Yours does include earlier versions, so maybe Bob's just looked at IE9, but there's still a discrepancy.
Overlooking the obvious?
I may be over-looking the obvious, but there sure is a discrepancy. The below was posted on April 2nd of last year.
It references both the desktop and mobile (worldwide) market. Note what they write about the differences between StatCounter and Net Marketshare. Even at that, there's still too much of a discrepancy.
Could it be how the numbers are computed and what they're based on? There's probably a VERY simple explanation. No doubt, Bob has one. 'Cause I don't.
Sorry .. I'm stumped!
Bob usually does have the answer
I don't know how Bob does it, he comes up with more answers more times than any 3 other folks I've ever seen. Do you think he ever sleeps? He sure doesn't let the grass grow under his feet.
I guess this proves the old saying about how figures don't lie, but liars can figure?
Re: browser statistics
The w3schools statistics clearly say they are from the log-files of their own site. Which proves that Firefox is rather popular with their target group (web programmers).
The statistics of http://gs.statcounter.com/ say they are worldwide, while http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0 doesn't specify where and what it measures.
So, as we say here, it's comparing apples and pears. The trends (growing or shrinking market shares) probably are more reliable than the absolute figures.
I like this area.
Thanks for the other stats. It's a loaded question as those that have something to gain or lose will measure it differently. For example, MSFT may drop Android and Apple devices since that would really skew the numbers in ways they don't want to see.
Apple may publish mobile only if they wanted to. Good question.
Kim Dotcom puts up $13,500 bounty to break Mega's system
Kim Dotcom puts up $13,500 bounty for first person to break Mega's security system
Kim Dotcom is so confident in the security system at Mega, the newly launched file storage service, that the New Zealand-based German is offering a bounty of €10,000 (approx. US$13,580) to the first person who breaks it.
Last week, Dotcom said that he would offer up a prize for any enterprising hackers, after the site was criticized for the way that it handles security. A Mega blog post dismissed points raised by Ars Technica and Forbes, explaining that the site will soon be boosted by new measures, including a change password feature and more, to increase the security of accounts and data.
Mega, which launched less than two weeks ago, is storing nearly 50 million files and it passed 1 million registered users after just one day online.
#Mega's open source encryption remains unbroken! We'll offer 10,000 EURO to anyone who can break it. Expect a blog post today.
— Kim Dotcom (@KimDotcom) February 1, 2013
The bounty offer is part of Mega's ongoing focus on improvement while it is in beta — "You find a bug. We fix it," Dotcom said last week, and such financial carrots are dangled by most major tech firms, albeit in a less public fashion. Facebook, Google, Dropbox and countless others provide developers with cash payments and official acknowledgements if they find bugs and issues.
Continued : http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/
Dotcom Offers €10,000 Reward For Breaking Mega's Crypto
Kim Dotcom's Offering a Cash Reward If You Can Smash Mega's Encryption
Kim Dotcom promises $13,600 to anyone who breaks Mega encryption
Pro-Grade Point-of-Sale Skimmer
Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.
In October 2012, forensics experts with Trustwave Spiderlabs were called in to examine the handiwork of several Bluetooth based point-of-sale skimmers found at a major U.S. retailer. The skimmers described and pictured in this blog post were retrieved from a retail breach that has not yet been disclosed, said Jonathan Spruill, a security consultant at Trustwave.
Spruill said the card-skimming devices that had been added to the small point-of-sale machines was beyond anything he'd encountered in skimmer technology to date.
"The stuff we've been seeing lately is a leap forward in these types of crimes," said Spruill, a former special agent with the U.S. Secret Service. "You hate to say you admire the work, but at some point you say, 'Wow, that's pretty clever.' From a technical and hardware standpoint, this was really well thought-out."
Retweet to Become Verified on Twitter? Not Likely...
From the GFI Labs Blog:
There's currently a number of "Twitter Verified" style accounts posting to Twitter, asking users to "Retweet to become verified", or posting up peculiar minigames along the lines of "The last person to RT this Tweet becomes verified". It's all rather odd, and shows no sign of slowing down. [Screenshot]
At this point, we've seen the following accounts posting similar content:
⇒ VerifiedTwiiter (notice the "ii")
freeverify seems to be unrelated, with the last Tweet appearing back in August (humorously, it also mentions "we have not been verified as it takes 1 to 3 months to be totally verified". It takes up to 3 months for Twitter to verify itself?)
Along with asking for Retweets, some of the accounts seem to be looking for recently verified individuals, then sending them a Tweet to say "you're verified" shortly afterwards. By doing so, it would appear to anybody looking on that they had indeed just verified somebody.
Continued : http://www.gfi.com/blog/retweet-to-become-verified-on-twitter-not-likely/
Citadel Trojan: It's Not Just for Banking Fraud Anymore
Banking malware has primarily been just that, an attack tool used against financial institutions to steal money from online bank accounts. But what if cybercrime gangs decided to flip that on its head, and use malware such as the Citadel banking Trojan to steal credentials from not only banks, but government agencies and commercial businesses?
That situation apparently has been in play since late December. McAfee reported this week that it has observed an uptick in attacks, primarily in Europe, where Citadel has been used to attack government offices in Poland, businesses in Denmark and Sweden, as well as government agencies in Japan.
The use of Citadel, a less-circulated variant of the Zeus malware, is noteworthy because Citadel was removed from commercial underground marketplaces last June after its author Aquabox was banned from trading and said he would sell only to referrals. McAfee has observed 300 Citadel samples still active in the wild compromising more than 500 victims in Europe. By comparison, fewer than a dozen have been compromised in the United States. By comparison, Zeus infections number in the tens of thousands, McAfee's Ryan Sherstobitoff said in the company's report, "Inside the World of the Citadel Trojan."
Continued : https://threatpost.com/en_us/blogs/citadel-trojan-it-s-not-just-banking-fraud-anymore-020113