Spyware, Viruses, & Security forum


NEWS - February 04, 2013

by Carol~ Forum moderator / February 4, 2013 1:06 AM PST
Another Java update! Oracle brings Patch Tuesday forward to close in-the-wild hole...

I'll keep this one short, but I feel I ought to tell you.

"Yet another Java update! Get it while it's hot"

In calmer times, this update would have appeared on 19 February 2013.

Oracle's Critical Patch Updates for Java normally come out on the Tuesday closest to the 17th day in every fourth month. (Yes, I find that a little Byzantine, too.)

But Oracle brought its February 2013 Java patch forward, noting the "active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers":

Oracle isn't saying which of the RCE (remote code execution) holes is the one that's actively being exploited, but bringing the patch forward is probably a good idea anyway.

According to the latest Oracle Risk Matrix there are 50 fixes, 49 of which might be remotely exploitable. That means merely visiting a web page might be enough to infect your computer.

The quick way to grab the latest version is to head over to Java.com and click the big red Free Java Download button.

Continued: http://nakedsecurity.sophos.com/2013/02/04/another-java-update-oracle-brings-patch-tuesday-forward-to-close-in-the-wild-hole/

Another Critical Java Update, You Know What To Do
Critical Java Update Fixes 50 Security Holes
Oracle releases emergency patches for Java
Oracle Pushes Massive Patch Release Ahead of Schedule
Post a reply
Discussion is locked
You are posting a reply to: NEWS - February 04, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - February 04, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Twitter detects & shuts down password data hack in progress
by Carol~ Forum moderator / February 4, 2013 1:08 AM PST

Twitter engineers shut down what they described as an "extremely sophisticated" hack attack on its network that exposed the cryptographically protected password data and login tokens for 250,000 users.

In a blog post published late Friday afternoon, company officials said affected passwords and tokens have been reset and e-mails are in the process of being sent out to affected users. Twitter said it discovered the breach "earlier this week" and shut it down moments later.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Bob Lord, Twitter's director of information security, wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Lord also mentioned recent attacks on Oracle's Java software framework for browsers, although he didn't explain what it had to do with the attack on Twitter. He urged users to disable Java on their computers.

Twitter compared the breach in timing to the recent widespread hacks of the New York Times and the Wall Street Journal, in which Chinese hackers gained access to the papers' databases to track down information on journalists and their sources who were helping write stories critical of the family of China's prime minister.

Continued: http://arstechnica.com/security/2013/02/twitter-detects-and-shuts-down-password-data-hack-in-progress/

Twitter hacked; 250,000 users must reset their passwords
Twitter Breached, Attackers Stole 250,000 User Data
Twitter Users Still Log in with Old, Vulnerable Passwords

Collapse -
NetSeer suffers hack, triggers Google anti-malware warnings
by Carol~ Forum moderator / February 4, 2013 1:50 AM PST

If you visited ZDNet earlier today and were warned by Google that you were entering a site with known malware, you weren't alone.

Internet advertising network NetSeer suffered a hack to its front-end Web site today that rippled across the Web sites of its advertising partners. The alerts warned visitors who were using the Chrome browser that the Web site they were visiting was a "known malware distributor." [Screenshot]

A spokesperson for NetSeer confirmed the successful hacking attempt at around 5:30 a.m. PT, but noted that it did not affect its advertising network infrastructure.

The company is currently working with Google to rectify the situation.

A NetSeer spokesperson confirmed that its corporate network had been infected with malware, and Google subsequently added its domain to a list of malware-affected Websites. Because NetSeer's corporate site has the same domain name as its advertising network, Google triggered warnings on end-user machines warning users to avoid any Web page that happened to include an ad served from NetSeer's servers.

But, visitors to these Web sites no point at risk from being served up malware from the NetSeer advertising network, the company said.

Continued : http://www.zdnet.com/netseer-suffers-hack-triggers-google-anti-malware-warnings-7000010776/

Collapse -
FTC demands "Do Not Track" for mobile apps
by Carol~ Forum moderator / February 4, 2013 1:51 AM PST

The US Federal Trade Commission (FTC) has made another contribution to the growing debate over the privacy of personal data on smartphones and tablet PCs. With a package of recommendations the US authority is urging mobile operating system and application developers to introduce more transparency in their products.

Users have a right to know what data is collected and what it is used for, said the FTC. Apps shouldn't be able to access GPS data or other personal information such as photos or contacts without the user's permission, it added. A year ago the Path social network created a stir by harvesting users' address book data without their permission; the FTC recently ordered Path to pay an $800,000 fine.

The commission also demands that platform developers implement "Do Not Track" (DNT) features that allow users to avoid being tracked for marketing purposes by advertising networks or other third parties for other reasons. The FTC has been demanding a similar feature for desktop browsers for some time and is now threatening to implement legal requirements.

Continued : http://www.h-online.com/security/news/item/FTC-demands-Do-Not-Track-for-mobile-apps-1796943.html

Collapse -
Mobile attacks!
by Carol~ Forum moderator / February 4, 2013 2:51 AM PST

From the Kaspersky Lab Weblog:

Users of inexpensive Android smartphones typically look for ways to accelerate their devices, for example, by freeing up memory. Demand for software that makes smartphones work a little faster creates supply, some of which happens to be malicious. In addition to legitimate applications, apps that only pretend to clean up the system have appeared on Google Play.

We have come across PC malware that infects mobile devices before. However, in this case it's the other way round: an app that runs on a mobile device (a smartphone) is designed to infect PCs.

On January 22, 2013 Kaspersky Lab discovered the following application on Google Play: [Screenshot]

The app is obviously quite popular and has a good rating: [Screenshot]

This application has a twin brother that has an identical feature list but a different name:

Continued: http://www.securelist.com/en/blog/805/Mobile_attacks#page_top

Also : New Malware Attacks Smartphone, Computer to Eavesdrop

Hat tip to R. Proffitt !

Collapse -
Wireless Carriers Put on Notice About Providing Regular..
by Carol~ Forum moderator / February 4, 2013 2:51 AM PST
... Android Security Updates

Activist Chris Soghoian, whom in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices.

The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. Today during a session at the Kaspersky Lab Security Analyst Summit, Soghoian made a call for legislators to get involved in calling AT&T, Verizon, TMobile and Sprint on the carpet for their practices, or cede control to Google for providing regular updates to devices.

Unlike with Apple, which wields considerable influence with the carriers because all of them want a share of the iPhone market, Soghoian said Google has relatively little power in its relationship. Google gives up the Android operating system for free and carriers and handset vendors have control over update distribution.

Continued : https://threatpost.com/en_us/blogs/wireless-carriers-put-notice-about-providing-regular-android-security-updates-020413
Collapse -
Flaw Flood Busts Bug Bank
by Carol~ Forum moderator / February 4, 2013 4:54 AM PST

The Common Vulnerability & Exposures (CVE) index, the industry standard for cataloging software security flaws, is growing so rapidly that it will soon be adding a few more notches to its belt: The CVE said it plans to allow for up to 100 times more individual vulnerabilities to be indexed each year to accommodate an increasing number of software flaw reports.

Currently, when a vulnerability is reported or discovered, it is assigned a CVE number that corresponds to the year it was reported, followed by a unique 4-digit number. For example, a recent zero-day Java flaw discovered earlier this year was assigned the identifier CVE-2013-0422. But in a recent publication, The MITRE Corp., the organization that maintains the index, said it wanted to hear feedback on several proposed changes, such as modifying the CVE to allow for up to 999,999 vulnerabilities to be cataloged annually.

"Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year," CVE Project announced last month. "The current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year."

Continued: http://krebsonsecurity.com/2013/02/flaw-flood-busts-bug-bank/

Collapse -
'Broke' Estonian suspect pleads guilty to DNSChanger click..
by Carol~ Forum moderator / February 4, 2013 4:54 AM PST
... fraud scam

An Estonian man has pleaded guilty to involvement in the DNSChanger click fraud scam. The Trojan infected 4 million computers worldwide, netting cybercrooks an estimated $14m in the process.

Valeri Aleksejev, 32, pleaded guilty to fraud and computer hacking offences at a hearing at a US federal court on Friday, Reuters reports. Aleksejev is the first of six Estonians and one Russian indicted in 2011 following a high-profile takedown operation. They face five charges each of wire and computer intrusion. One of the defendants, Vladimir Tsastsin, was charged with 22 counts of money laundering.

The DNSChanger malware at the centre of the scam changed internet address look-up settings on infected computers so that surfers attempting to reach Apple's iTunes website, the Inland Revenue Service, or Netflix's movie website were routed towards unaffiliated businesses. The ads presented to surfers visiting Amazon, The Wall Street Journal and other sites from infected machines were also under the control of cybercrooks, who earned a slice of the resulting advertising revenue from third-party affiliates. The scam ran for around four years between 2007 and late 2011.

Continued : http://www.theregister.co.uk/2013/02/04/dns_changer_guilty_plea/
Collapse -
"Lucky 13" attack snarfs cookies protected by SSL encryption
by Carol~ Forum moderator / February 4, 2013 4:54 AM PST

"Exploit is the latest to subvert crypto used to secure Web transactions."

[Screenshot: A representation of how TLS works]

Software developers are racing to patch a recently discovered vulnerability that allows attackers to recover the plaintext of authentication cookies and other encrypted data as they travel over the Internet and other unsecured networks.

The discovery is significant because in many cases it makes it possible for attackers to completely subvert the protection provided by the secure sockets layer and transport layer protocols. Together, SSL, TLS, and a close TLS relative known as Datagram Transport Layer Security are the sole cryptographic means for websites to prove their authenticity and to encrypt data as it travels between end users and Web servers. The so-called "Lucky Thirteen" attacks devised by computer scientists to exploit the weaknesses work against virtually all open-source TLS implementations, and possibly implementations supported by Apple, Microsoft, and Cisco Systems as well.

The attacks are extremely complex, so for the time being, average end users are probably more susceptible to attacks that use phishing e-mails or rely on fraudulently issued digital certificates to defeat the Web encryption protection. Nonetheless, the success of the cryptographers' exploits—including the full plaintext recovery of data protected by the widely used OpenSSL implementation—has clearly gotten the attention of the developers who maintain those programs. Already, the Opera browser and PolarSSL have been patched to plug the hole, and developers for OpenSSL, NSS, and CyaSSL are expected to issue updates soon.

Continued : http://arstechnica.com/security/2013/02/lucky-thirteen-attack-snarfs-cookies-protected-by-ssl-encryption/

Related: Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attack

Collapse -
Hackers breach U.S. Energy Department networks
by Carol~ Forum moderator / February 4, 2013 5:38 AM PST

Notifications sent out to employees and contractors of the U.S. Department of Energy have confirmed that it and its networks have been the latest victim of "sophishicated hackers" in search of confidential information.

The breach was confirmed for the Washington Free Beacon by unnamed officials from inside the department, and it apparently happened two weeks ago.

The attackers - thought to be working at the behest of a nation state - have managed to penetrate a 14 computer servers and 20 workstations located at the Department's headquarters, and have succeeded in exfiltrating personally identifiable information on several hundred employees and contractors.

According to reports, there are indications that the attackers might have also had other goals in mind - namely to either steal confidential information or to pave the way for future intrusions that would make that possible.

Continued : http://www.net-security.org/secworld.php?id=14353

Sophisticated cyber-attack hits Energy Department, China possible suspect
Department of Energy Compromised in Sophisticated Attack
US Department of Energy hacked, employees' personal information stolen

Collapse -
Partial Disclosure Leaves Adobe Reader Zero-Day Story ..
by Carol~ Forum moderator / February 4, 2013 5:38 AM PST
... in Limbo

It's the vulnerability that never was. Or was it?

In a saga that has spanned close to three months, 90 emails and a short novel's worth of back and forth between Adobe and Russian security company Group-IB over a reported zero-day sandbox-bypass exploit, there has been little in the way of a concrete resolution. Two members of Adobe's Product Security Incident Response Team (PSIRT) said today at the Kaspersky Lab Security Analyst Summit that the software vendor has been unable to reproduce the vulnerability, and has yet to receive proof of concept code from Group-IB, despite numerous promises to do so.

"We were hoping for a proof of concept, but we had a video [of the exploit] only," said David Lenoe, Adobe PSIRT group manager. "We did as much analysis, but without a proof of concept, we had to deal with what we had."

Group-IB did not reply to request for comments.

The sandbox bypass was reported Nov. 7 by Group-IB; the company added that exploit was being sold in a private version of the Blackhole Exploit Kit for anywhere between $30,000 and $50,000. This was an urgent situation for Adobe PSIRT since an exploit bypassing the sandbox had not been seen in the wild before.

Continued : https://threatpost.com/en_us/blogs/partial-disclosure-leaves-adobe-reader-zero-day-story-limbo-020413
Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

CNET Holiday Gift Guide

Looking for great gifts under $100?

Trendy tech gifts don't require a hefty price tag. Choose from these CNET-recommended useful and high-quality gadgets.