15 total posts
Yet another Java security flaw discovered - Number 53
The title of this blog is far from unique. Tracking security flaws in Java is like counting grains of sand on a beach.
As I write this on January 27, 2013, the flaw in question is new. It is known by its creator, Adam Gowdiak of Security Explorations, simply as Issue 53.
Before going into detail, let's first put things in perspective.
The last Java flaw garnered a ton of attention, with a typical headline reporting that the Department of Homeland Security told everyone to disable Java. It's not clear why that flaw garnered so much attention. The New York Times reported it as a "rare" warning, but that news was not fit to print. The warning was routine.
In the middle of the last scare, Art Manion and Will Dormann of CERT wrote
"We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers."
Oracle released a new edition of Java (Version 7 Update 11) to fix that problem, very quickly (perhaps an example of what bad publicity can do). But since that fix was issued on January 13th, the bad news for Java has continued to trickle out.
MORE BAD NEWS
* * * * * * * * * * * * * * * * * *
Java's new "very high" security mode can't protect you from malware
"Fix that was supposed to make malware attacks harder can be easily circumvented"
Security researchers have uncovered a newly discovered bug in Oracle's Java framework that allows attackers to bypass important security protections designed to prevent malware attacks.
The security improvements were introduced in Java 7 Update 10, and they came after a spate of in-the-wild attacks exploited fully patched versions of Java. Those allowed crooks to surreptitiously install malware on the computers of unsuspecting people using Java browser plugins. By default, the change required end users to manually allow the execution of Java code not digitally signed by a trusted authority. Users also had the ability to prevent any unsigned Java applet from running at all. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java.
"Unfortunately, the above is only a theory," security researcher Adam Gowdiak wrote on Sunday, referring to the way the protections are supposed to block untrusted code from running on end-user computers. "In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel."
Continued : http://arstechnica.com/security/2013/01/javas-new-very-high-security-mode-cant-protect-you-from-malware/
Big Bank Mules Target Small Bank Businesses
A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.
I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.
The attack on Niles Nursing Inc. provides a textbook example. On Monday, Dec. 17, 2012, computer crooks logged into the company's online banking accounts using the controller's credentials and tunneling their connection through his hacked PC. At the beginning of the heist, the miscreants added 11 money mules to Niles' payroll, sending them automated clearing house (ACH) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.
Continued : https://krebsonsecurity.com/2013/01/big-bank-mules-target-small-bank-businesses/
Trojan uses anti-spam system to keep in touch w/ C&C servers
Most malware is severely crippled if it can't contact the C&C servers from which it receives its instructions and updates, so malware authors are constantly coming up with new ways to thwart firewalls, intrusion prevention systems and local gateways blocking such communication.
The latest innovation in this particular "field" has been spotted by Symantec researcher Takashi Katsuki, who recently discovered a Trojan that uses Sender Policy Framework (SPF) to keep the connection between malware and C&C servers alive and well.
Ironically, the SPF is an email validation system designed to spot email spoofing and, therefore, spam.
"SPF consists of a domain name server (DNS) request and response. If a sender's DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record," explains Katsuki.
Continued : http://www.net-security.org/malware_news.php?id=2387
Browser-hijacking malware talks to attackers using SPF email validation protocol
Cybercriminals Use Anti-Spam System for Communication Between Malware and Server
Google faces legal action in the UK over Safari cookies
A group of Internet users in the U.K. are seeking damages, disclosure and an apology from Google for its alleged undermining of the security settings on Apple's Safari browser to track online usage covertly.
Members of the group, described as informal, have instructed a technology and media law firm, Olswang, to begin action against Google, the group said.
The claims center around tracking cookies, which were allegedly installed in secret by Google on computers and mobile devices of users of the Safari browser, Olswang said in a statement on Sunday. The legal firm has been retained by the group to coordinate claims.
The U.S. Federal Trade Commission said in August last year that Google agreed to pay US$22.5 million civil penalty to settle charges that it misrepresented to users of Safari that it would not place tracking cookies or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC.
Continued : http://www.networkworld.com/news/2013/012813-google-faces-legal-action-in-266174.html
Google faces UK legal action over Apple Safari tracking claims
Google faces UK legal action over Apple privacy concerns
Upswing in Ransomware Activity
From the Symantec Security Response Blog:
As we predicted toward the end of last year, we are once again seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.
In the last week Symantec has observed a new spike in ransomware activity being seen worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is Trojan.Ransomlock.Y. This variant is being distributed through pornographic websites leading to the Impact Exploit kit. Symantec has the following Intrusion Prevention Signatures (IPS) in place for the Impact Exploit kit and is observing a similar telemetry spike around detections of this exploit kit:
• Web Attack: Impact Exploit Kit Website
• Web Attack: Impact Exploit Kit Website 2
• Web Attack: Impact Exploit Kit Website 3
Google Outlines How it Handles User Data Requests, Pushes..
... for Reforms
In honor of Data Privacy Day, Google this morning offered some more insight into how it handles government requests for your data, and pushed Congress to update an outdated law that covers how the feds can access your information.
Google said it scrutinizes every request carefully to make sure it's in line with its policies. "For us to consider complying, it generally must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law," the search giant said in a blog post.
The info comes several days after Google released an update to its Transparency Report, which included a breakdown, for the first time, of how U.S. government officials requested data from Google about its users: subpoena, search warrants, or court orders.
Overall, user data requests have jumped more than 70 percent since 2009, Google said last week. In total, Google received 21,389 requests for information about 33,634 users in the last six months of 2012, most of which - 68 percent - were subpoenas.
Continued : http://www.pcmag.com/article2/0,2817,2414766,00.asp
When late last year Facebook changed its Statement of Rights and Responsibilities and Data Use Policy, the social network's users lost their right to vote on future proposed changes, but retained that of commenting on them when they are made public and influencing their final form.
At the time, Elliot Schrage, Facebook's vice president of communications, public policy, and marketing, announced new ways to establish a "meaningful dialogue" between the company and the Facebook community, among which was also a new feature that would let users submit questions to Erin Egan, Facebook's Chief Privacy Officer of Policy.
The feature has finally been launched today (coincidence or not, today is also Data Privacy Day), and can be accessed here.
Users are urged to submit privacy-related questions to Egan by filling out an online form, and she will answer a few of them each month. She has started this month by answering some privacy questions she gets asked on a regular basis.
Continued : http://www.net-security.org/secworld.php?id=14314
Apple updates iOS fixing 27 vulnerabilities and TURKTRUST
Apple has released version 6.1 of its iOS operating system that is the brains of millions of iPhones, iPads and iPod Touch devices.
I would consider this to be a critical update, as many of the fixes can be used to remotely compromise your shiny iDevices.
iOS 6.1 is available for users of the iPhone 3GS and later, iPad 2 and later and iPod Touch 4th generation and later. Apparently Apple's advice to users of it's older hardware is "buy new ones".
The vast majority of the flaws were in WebKit, the rendering engine used by Safari to display web content. This isn't surprising as it is a very complicated component.
It is also a very dangerous component to leave vulnerable as it can be attacked by any web page controlled by someone with malicious intent. I would make these updates a priority.
Some of these fixes have been known for some time. A bug in handling Japanese Unicode characters dates back to 2011 and could lead to a cross-site scripting attack.
You could even characterize this update as long awaited as it finally addresses the bad certificates released by TURKTRUST and discovered this past Christmas.
Continued : http://nakedsecurity.sophos.com/2013/01/28/apple-updates-ios-fixing-27-vulnerabilities-and-turktrust-revocation/
Facebook Graph Search Mines Potentially Rich Data for..
... Phishers, Attackers
Facebook is serious about its new Graph Search feature, which helps users of the social media site narrowly search for friends with common interests in a much more intuitive fashion than a Google search, for example. Founder Mark Zuckerberg had tagged Graph Search the third Facebook pillar, right alongside the site's news feed and timeline. So why are security and privacy experts nervous? There's some serious horsepower behind Graph Search, and there are users whose interests aren't as benign as finding friends of friends in a particular location who happen to like country music, fine wine and yoga.
"This is basically a beautiful feature coming from a social engineering point of view," said Christopher Hadnagy, owner of White Hat Defense and founder of socialengineer.org. "I see this as a benefit for social engineers because you're giving them victims; they're not guessing anymore. Usually, a phisher or spammer collects a couple hundred email addresses and they're hoping 10 percent of those who get it have an interest in what the email is about. With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests."
Continued : https://threatpost.com/en_us/blogs/facebook-graph-search-mines-potentially-rich-data-phishers-attackers-012813
Related to Graph Search: How to find single women who like men *and* like getting drunk, with Facebook Graph Search
Facebook Graph Search is made out of people.
"Facebook Graph Search is made out of people. They're making our food out of people.
You've gotta tell them. You've gotta tell them! It's people!"
But at what cost?
".......it's hard to look at something like the newly launched Facebook Graph search, and not feel like the whole of your being has been stripped down to ones and zeroes"
"You've gotta tell them! It's people! "