Spyware, Viruses, & Security forum


NEWS - January 08, 2013

by Carol~ Forum moderator / January 7, 2013 9:42 PM PST
Yahoo Mail users hit by widespread hacking, XSS exploit seemingly to blame (Update: Fixed)

Late last night reports started coming in suggesting that Yahoo Mail users have had their accounts hacked. While "hacked" is a very broad term nowadays, it does appear that Yahoo email accounts are being compromised after users click on a malicious link they receive in their inboxes.

Update at 6:20PM EST: Yahoo says it has plugged the security hole in question as detailed at the bottom of this article.

A bit of digging shows the attack seems to have been carried out by a lone hacker by the name Shahin Ramezany. He has uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-Based XSS vulnerability that is exploitable in all major browsers:

The technique shown off is very simple, can be performed in just a few minutes, and seems to be very easy to automate. In his only tweet about the hack so far, Ramezany notes the vulnerability puts some 400 million Yahoo users at risk and promises the full details of his method will be posted after Yahoo plugs the security hole.

Continued : http://thenextweb.com/insider/2013/01/07/yahoo-mail-users-hit-by-widespread-hacking-xss-exploit-seemingly-to-blame/

Also: Yahoo Confirms It Has Fixed A Vulnerability In Mail

Yahoo Mail XSS Vulnerability Could Affect Millions of Accounts
Yahoo Mail Endures Another Hacking Vulnerability
Post a reply
Discussion is locked
You are posting a reply to: NEWS - January 08, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - January 08, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Adobe warns of actively exploited ColdFusion flaws
by Carol~ Forum moderator / January 7, 2013 9:53 PM PST

"Company expects to release patches on January 15"

Adobe Systems warned users of its ColdFusion application server software that hackers are reportedly exploiting unpatched vulnerabilities in the product to take control of affected servers.

The company published a security advisory on Friday regarding three critical vulnerabilities - identified as CVE-2013-0625, CVE-2013-0629 and CVE-2013-0631- that affect ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.

CVE-2013-0625 can be exploited to bypass authentication controls and take control of a ColdFusion server, CVE-2013-0629 can allow unauthorized users to access restricted directories on a vulnerable server and CVE-2013-0631 can result in information disclosure.

Continued : http://news.techworld.com/security/3418957/adobe-warns-of-actively-exploited-coldfusion-flaws/

Also: Adobe ColdFusion Exploits in Wild; Patch Remains Week Away

Collapse -
Yahoo adds HTTPS support to Yahoo mail
by Carol~ Forum moderator / January 7, 2013 9:53 PM PST

Yahoo has begun to catch up with the other webmail providers and is now offering HTTPS as an option on its service. Support for HTTPS has been requested for a long time by users of the system to help improve their privacy when accessing mail, especially over Wi-Fi connections; logging in with HTTPS previously redirected users to an HTTP based service. Now users can select Options->Mail Options and select "Turn On SSL"; this will ensure that HTTPS is enabled on their connection.

According to user feedback, the option appears to be being rolled out slowly and may not be available to all user accounts yet. Yahoo has made no official statement about the new option. The Electronic Frontier Foundation congratulated Yahoo on moving to fulfill a request that the EFF made in November to ensure SSL was available to users, especially those under repressive regimes where internet monitoring was common. The organisation is now looking at how to enable the Yahoo Mail SSL option automatically in its HTTPS Everywhere software.


Collapse -
Best Browser for Blocking Fraud? Opera!
by Carol~ Forum moderator / January 7, 2013 9:54 PM PST

In the movies, hackers work hard breaking into electronic networks to steal passwords. In the real world, they just politely ask for your credentials using a phishing website designed to look exactly like a valid financial website. If you log in to the fake website, you compromise your own security.

Fortunately, most popular browsers include some degree of antiphishing protection. Unfortunately, their effectiveness varies widely. AV-Comparatives just released the results of a test examining how well popular browsers detect and block these frauds.

I test antiphishing protection for my own security reviews by checking URLs that have been reported as fraudulent, but not yet verified. I check each one myself, using only those that are clearly fraudulent and clearly attempt to steal login credentials. I find that a significant majority of current security suites are less effective at phishing prevention than Internet Explorer 8 alone. However, Internet Explorer didn't come out on top in the AV-Comparatives study.

Testing Methodology

Continued : http://securitywatch.pcmag.com/none/306686-best-browser-for-blocking-fraud-opera

Collapse -
Jailbreak for Windows 8 RT
by Carol~ Forum moderator / January 7, 2013 10:02 PM PST

A developer calling himself 'clrokr' has found a way of bypassing the code integrity checking feature in Windows RT. Windows RT is the version of Windows 8 designed for tablets containing ARM processors. The bypass should enable users to run unsigned desktop applications on Surface tablets and other devices running Windows RT.

The developer ascribes the breakthrough to the thoroughness with which Microsoft has ported its operating system to the ARM platform. Functionally, he says, Windows RT has been implemented so cleanly that, deep in the kernel, the same byte is used to specify the minimum level for code signing as is used in the desktop version. Windows uses this byte to determine the quality of code signatures. Unsigned applications receive the lowest possible classification of 0. Microsoft signatures are classed as 8 and Windows components are classed as 12.

On x86 desktop machines, applications run with a minimum signing level of 0. Windows RT by contrast only accepts signatures with level 8 or above, that indicates signatures directly approved by Microsoft. This figure is stored directly in the kernel, where it cannot be changed. Once the system has loaded this value into memory, however, it can be modified there. To do so, clrokr used the remote debugger to hook into the active user's CSRSS process and then inject modified code. The Client/Server Runtime Subsystem is a core component of the Windows kernel.

Continued : http://www.h-online.com/security/news/item/Jailbreak-for-Windows-8-RT-1779083.html

Related: Windows RT hack? Don't sweat it, Microsoft says

Collapse -
ENISA summarizes 120 threat reports, identifies top trends
by Carol~ Forum moderator / January 7, 2013 11:52 PM PST

The EU's cyber security agency ENISA has published the first Cyber Threat Landscape analysis of 2012, summarizing over 120 threat reports.

The report identifies and lists the top threats and their trends, and concludes that drive-by exploits have become the top web threat.

The report summaries 120 recent reports from 2011 and 2012 from the security industry, networks of excellence, standardization bodies and other independent parties, making the report the world's most comprehensive synthesis presently available.

The report provides an independent overview of observed threats and threat agents together with the current top threats, and emerging threats trends landscapes. Moreover, the Threat Landscape report analyses the "cyber enemy"; identifying and also listing the top ten (out of a total of sixteen) threats in emerging technology areas.

The identified top ten threats are:

Continued : http://www.net-security.org/secworld.php?id=14194

Also: Drive-by attacks, Trojans and code injection the biggest threats, says ENISA

Collapse -
Romanian sentenced for multimillion-dollar payment card hack
by Carol~ Forum moderator / January 7, 2013 11:52 PM PST

A Romanian national was sentenced today to serve 21 months in prison for his role in an international, multimillion-dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants' computers, announced the U.S. Department of Justice.

Cezar Butu, 27, of Ploiesti, Romania, was sentenced by Judge Steven J. McAuliffe in U.S. District Court in New Hampshire.

On Sept. 17, 2012, Butu pleaded guilty to one count of conspiracy to commit access device fraud.

In his guilty plea, Butu admitted that, from approximately 2009-2011, he participated in a Romanian-based conspiracy to hack into hundreds of U.S.-based computers to steal credit, debit and payment account numbers and associated data (collectively "payment card data") that belonged to U.S. cardholders.

Continued : http://www.net-security.org/secworld.php?id=14197

Also: Romanian sentenced to 21 months over payment card hacks

Collapse -
Facebook password reset bug closed
by Carol~ Forum moderator / January 8, 2013 1:23 AM PST

In the process of creating a system which would allow Facebook users with compromised accounts to regain control of their accounts, the company managed to open a hole which could have allowed attackers to reset users' passwords without knowing their old password and, ironically, allowing them to compromise users' accounts. The flaw was reported to Facebook and closed through its White Hat disclosure page.

The problem, discovered by Sow Ching Shiong and documented on his blog, required that the user be logged in and visit the https: // www.facebook.com/hacked URL. This URL is apparently designed for users who still have an active session but believe their account has been compromised; accessing it without logging in sends the user to forms which ask them to establish their identity. If they are logged in, the user was redirected to https: // www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked and on clicking "Continue" on that page asked to enter a new password. But, contrary to best practice, the form did not ask for their old password.

Continued : http://www.h-online.com/security/news/item/Facebook-password-reset-bug-closed-1779440.html

Related: Serious Flaw in Facebook Allows Arbitrary Account Hijacking

Collapse -
New Android Malware Steals Personal Data
by Carol~ Forum moderator / January 8, 2013 5:18 AM PST
Symantec has identified new malware targeting Google Android devices that collects personal data.

The malware, detected as Android.Exprespam, is spread through the spamming of links to fake Google Play pages. These pages are hosted on a server located in Washington.

"It is worth noting that the site actually calls itself Gcogle Play," blogged Symantec threat analyst Joji Hamada. "The domain for the website was registered on December 27 and the malicious APK file contains a signature valid from January 2."

"We have confirmed nine different app pages on this site, although the downloaded app is the same in each case," according to Hamada. "A couple of the fake app pages resemble the type of fake tools used by older malware, but most are new types of fake tools. The scammers have made available a variety of apps in the hope that it increases the chances of the apps being installed. This is a distinct ramping up of activities as older malware masqueraded at most as three apps on a site simultaneously."

The installation screen displays the permissions the malware requests, which include access to personal information, the phone state and identity and account information. Legitimate applications generally do not request these permissions, the researcher noted.

Continued : http://www.securityweek.com/google-android-malware-steals-personal-data
Collapse -
Cybercriminals mostly targeting LinkedIn, PayPal and Amazon
by Carol~ Forum moderator / January 8, 2013 5:18 AM PST

GFI Software released a collection of the most prevalent threat detections encountered last month. In December, GFI threat researchers found a handful of phony Google Play app markets hosting mobile Trojans as well as a number of spam email campaigns posing as messages from Amazon, PayPal and LinkedIn.

"Cybercriminals often make the effort to create phony websites and spam emails that appear authentic in order to increase the chances of catching users off guard and infecting their PCs," said Christopher Boyd, senior threat researcher at GFI Software.

"Over the past year, we have seen cybercriminals improve their ability to fabricate even more convincing sites that prey on users who rush into providing personally identifiable information or installing applications without completely investigating the legitimacy of the source. Users should be extra careful in every situation by taking the time to look at URLs and manually navigating to the sites that they want to visit," Boyd added.

Continued : http://www.net-security.org/malware_news.php?id=2370

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

CNET Holiday Gift Guide

Looking for great gifts under $100?

Trendy tech gifts don't require a hefty price tag. Choose from these CNET-recommended useful and high-quality gadgets.