Spyware, Viruses, & Security forum


NEWS - February 25, 2013

by Carol~ Forum moderator / February 25, 2013 12:09 AM PST
HTC "failed to employ reasonable security" on Android, says FTC

On Friday, the Federal Trade Commission (FTC) announced that it had reached a settlement (PDF) with HTC over notable security holes on its millions of tablets and Android handsets. HTC has now agreed to provide a patch within 30 days and be subject to a security review for the next 20 years.

"Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm," the agency wrote in its complaint (PDF).

The agency also alleged that HTC's user manuals "contained deceptive representations." The FTC said that the Tell HTC application, which lets users report errors to HTC, does not actually allow users to opt out of sharing their location, despite a displayed option to do so.

Continued: http://arstechnica.com/tech-policy/2013/02/ftc-orders-htc-to-fix-its-reasonable-security-failures-on-android/

HTC Settlement Could Alter Mobile Security and Privacy Landscape
HTC agrees to fix vulnerabilities found in millions of its devices
HTC Settles US Charges of Security Flaws on Devices
Post a reply
Discussion is locked
You are posting a reply to: NEWS - February 25, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - February 25, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Microsoft Hacked, Just Like Facebook and Apple
by Carol~ Forum moderator / February 25, 2013 12:19 AM PST

On Friday evening, Microsoft announced via its security blog that it, too, had been the victim of a cyber attack, comparing its situation to the likes of Facebook's and Apple's recent security breaches.

"During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations," wrote Matt Thomlinson, General Manager of Trustworthy Computing Security, in a company post.

Microsoft claims no evidence of customer data being compromised.

The security breach of the Redmond-based software company is just one in a series of high-profile tech company hacks, starting earlier this month with Twitter's announcement that the data of some 250,000 user accounts could potentially have been compromised.

Continued : http://allthingsd.com/20130222/microsoft-hacked-just-like-facebook-and-apple/

Microsoft hacked by same cyberattack as Apple and Facebook
Microsoft: We Were Hacked, Too!
Microsoft Hacked: Intrusion Was 'Similar' To Apple And Facebook Attacks
Microsoft Joins Ranks of the Tragically Hacked

Collapse -
0-Day Vulnerability Affecting Java 7u15 and Earlier Versions
by Carol~ Forum moderator / February 25, 2013 12:19 AM PST
Zero-Day Vulnerability Affecting Java 7 Update 15 and Earlier Versions Identified

Researchers from Polish firm Security Explorations have identified another serious vulnerability in Java 7. The experts say Java SE 7 Update 15 and all earlier versions are affected.

Adam Gowdiak, the CEO of Security Explorations, has told Softpedia that they've uncovered two security issues, which they've dubbed "issue 54" and "issue 55."

When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox.

Oracle has been provided with the details of the newly uncovered bugs, but so far, it has only confirmed receiving the information. Most likely, the company will confirm the existence of the flaws in the upcoming days.

"Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way," Gowdiak noted. "Without going into further details, everything indicates that the ball is in Oracle's court. Again."

The experts have tested their findings against the initial release of Java SE 7, Java SE 7 Update 11, and Java SE 7 Update 15, which is the version released a few days ago.

Continued : http://news.softpedia.com/news/Zero-Day-Vulnerability-Affecting-Java-7-Update-15-and-Earlier-Versions-Identified-332157.shtml

Related :
Zero-Day Flaws in Java Re-Emerge; No Exploitation in the Wild Yet
Researchers claim to have found more zero-day vulnerabilities in Java
Collapse -
Another iPhone Passcode Bypass Vulnerability Discovered
by Carol~ Forum moderator / February 25, 2013 12:20 AM PST

It's getting hard to keep track of all the bugs piling up for Apple's iPhone. Now it seems a glitch in the iOS kernel of Apple's much maligned iOS 6.1 is responsible for yet another passcode bypass vulnerability, the second to surface this month. Attackers can apparently access users' photos, contacts and more by following a series of steps on an iPhone running iOS 6.1.

The vulnerability was detailed in a post on the Full Disclosure mailing list late last week by Benjamin Kunz Mejri, founder and CEO of Vulnerability Lab.

Similar to the iPhone's passcode vulnerability, the exploit involves manipulating the phone's screenshot function, its emergency call function and its power button. Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone. A video posted by the group shows a user flipping through the phone's voicemail list and contacts list while holding down the power button. From there an attacker could get the phone's screen to turn black before it can be connected to a computer via a USB cord. The device's photos, contacts and more "will be available directly from the device hard drive without the pin to access," according to the advisory.

Continued : https://threatpost.com/en_us/blogs/another-iphone-passcode-bypass-vulnerability-discovered-022513

iOS 6.1 flaw allows bypass of password-protected lock screen
Access restriction in iOS 6 partially useless

Collapse -
Firefox 22 will block third-party cookies
by Carol~ Forum moderator / February 25, 2013 12:20 AM PST

Jonathan Mayer, a researcher at Stanford, has contributed a patch for Firefox that will block third-party cookies from installing on the user's browser. The patch is set to be incorporated into Firefox 22. For some sense of timing on the project, Firefox 19 was released on Tuesday.

With the patch, Firefox would allow all cookies from sites that a user actively visits, but would block cookies from third-party sites if a user has not visited that cookie's origin site. Advertisers generally place third-party cookies and can collect data about a user across several websites with them. This is used to serve more targeted ads or refine where an advertising firm should spend its money.

Blocking third-party cookies would not be new or unheard of among browsers; Apple's Safari already rejects cookies from third-parties. In a blog post on Friday, Mayer called the Firefox patch, "a slightly relaxed version of the Safari policy." Chrome allows all cookies, and Internet Explorer blocks some third-party cookies, although not all.

Continued : http://arstechnica.com/business/2013/02/firefox-22-will-block-third-party-cookies/

Mozilla to Block Third-Party Cookies in Firefox
Firefox to spit out third-party cookies

Collapse -
SSHD rootkit in the wild
by Carol~ Forum moderator / February 25, 2013 2:06 AM PST

From the SANS ISC Diary:

There are a lot of discussions at the moment about a SSHD rootkit hitting mainly RPM based Linux distributions. Thanks to our reader unSpawn, we received a bunch of samples of the rootkit. The rootkit is actually a trojanized library that links with SSHD and does *a lot* of nasty things to the system.

At this point in time we still do not know what the initial attack vector is - it is unknown how the attackers get root access on the compromised servers that is needed to change the legitimate libkeyutils library with a trojanized one. We are, of course, keeping an eye on the development and will post a new diary or update this one if we receive more information about the attack vectors.

The trojanized library is very, very nasty. Upon execution it performs a number of actions, as described below.

Continued : https://isc.sans.edu/diary.html?storyid=15229

Collapse -
Mass-Customized Malware Lures: Don't trust your cat!
by Carol~ Forum moderator / February 25, 2013 2:06 AM PST

From the SANS ISC Diary:

Usually, we find that e-mail used to trick users to malicious or spam sites is either not customized at all, or manually tailored for a particular recipient. A couple years ago at our RSA panel with Alan Paller and Ed Skoudis, I eluded to "mass customized" malware. Malware that automatically harvests social networking accounts or other open source information to find out how to best target you. For example, the malware may see that you "Like" Star Trek on Facebook and then will send you a link to a new movie trailer.

For a while now, I am seeing simple e-mails that appear to be doing something like that. The emails follow the same pattern. The "Real Name" displayed is the name of a person I know. The from e-mail address however has no relation to the person, and is usually some kind of free email 'yahoo'/'gmail' style address. The body of the e-mail itself is just a one liner with a link.

I did suspect Facebook as the source of the information. For most of the "senders" I had gotten these e-mails from in the past, there are other ways then Facebook that link me to them. But wasn't sure about it until now, when I received the e-mail below.

Continued: https://isc.sans.edu/diary.html?storyid=15265

Collapse -
UPDATED: Windows Azure Storage Restored After Worldwide..
by Carol~ Forum moderator / February 25, 2013 4:23 AM PST
... Outage

Service was restored to Microsoft's Windows Azure storage on Saturday, after an expired SSL certificate left customers unable to access their data beginning Friday afternoon.

The SSL certificate expired on Friday afternoon and remained unavailable until Saturday morning. The worldwide outage affected HTTPS traffic accessing storage, though did not impact less secure HTTP traffic, the company confirmed on the Windows Azure Dashboard.

"We have executed repair steps to update SSL certificate on the impacted clusters and have recovered to over 99 percent availability across all sub-regions," according to an updated alert on the dashboard Saturday. "We will continue monitoring the health of the Storage service and SSL traffic for the next 24 hrs. Customers may experience intermittent failures during this period. We apologize for any inconvenience this causes our customers."

That did little to console some customers. "Most of our apps are screwed up now! "WHATS NEXT? All compute instances die because someone at the data center switched them off?," wrote one customer on a Windows Azure MSDN forum.

Continued : http://rcpmag.com/articles/2013/02/22/windows-azure-cloud-storage-outage.aspx

Microsoft Azure Cloud Storage Suffers Major Outage Over Expired SSL Certificate
Microsoft secure Azure Storage goes down WORLDWIDE
Microsoft coughs up compensation for Azure cloud mess-up
Collapse -
China blamed for EADS and ThyssenKrupp hack attacks
by Carol~ Forum moderator / February 25, 2013 5:44 AM PST

Two more major organisations have gone public about, what they claim, were attempts by Chinese hackers to infiltrate their networks and steal sensitive information.

EADS, the European Aeronautic Defense and Space company, and steelmaker ThyssenKrupp are said to have become the targets of hack attacks originating in China, according to Der Spiegel.

EADS - who makes the Eurofighter jet, as well as spy drones, surveillance satellites, and even rockets for French nuclear weapons - are said to have contacted the German government last year to warn them that the military contractor's computer network has been hacked.

Officially, EADS have described the attack as "standard" and insisted that no harm has been done.

Continued : http://nakedsecurity.sophos.com/2013/02/25/china-eads-thyssenkrupp-hack/

Chinese hackers attacked Eurofighter maker EADS, company confirms
European Space, Industrial Firms Breached in Cyber Attacks: Report

Collapse -
Server hack prompts call for cPanel customers to take ..
by Carol~ Forum moderator / February 25, 2013 5:44 AM PST
... "immediate action"

"Change root and account passwords and rotate SSH keys, company advises."

The providers of the cPanel website management application are warning some users to immediately change their systems' root or administrative passwords after discovering one of its servers has been hacked.

In an e-mail sent to customers who have filed a cPanel support request in the past six months, members of the company's security team said they recently discovered the compromise of a server used to process support requests.

"While we do not know if your machine is affected, you should change your root level password if you are not already using SSH keys," they wrote, according to a copy of the e-mail posted to a community forum. "If you are using an unprivileged account with 'sudo' or 'su' for root logins, we recommend you change the account password. Even if you are using SSH keys we still recommend rotating keys on a regular basis."

Continued : http://arstechnica.com/security/2013/02/server-hack-prompts-call-for-cpanel-customers-to-take-immediate-action/

Also: cPanel Inc. Server Compromised
Collapse -
Google 2-step login verification flaw allows acc't hijacking
by Carol~ Forum moderator / February 25, 2013 6:30 AM PST

Duo Security researchers have found an easy way to bypass Google's two-step login verification by capturing a user's application-specific password.

"To make 2-step verification usable for all of their customers (and to bootstrap it into their rather expansive ecosystem without breaking everything), Google's engineers had to make a few compromises. In particular, with 2-step verification came a notion of 'Application-Specific Passwords' (ASPs)," explains Adam Goodman.

The user is required to create and use a separate ASP for every application that doesn't support 2-step verification logins - Adium, Apple Mail, Thunderbird, iCal, and so on.

But the problem with ASP is that, despite its name, it doesn't actually limit the users' access to only certain data or services in their accounts. "In fact, an ASP can be used to log into almost any of Google's web properties and access privileged account interfaces, in a way that bypasses 2-step verification," the researchers discovered.

Continued : http://www.net-security.org/secworld.php?id=14485

Also: Researchers Bypass Google Two-Factor Authentication

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions


Free trip to the Grand Prix

Don't miss your chance to win a trip to the Formula 1 Grand Prix in Monaco for you and a plus-one.