Spyware, Viruses, & Security forum


NEWS - January 28, 2013

by Carol~ Forum moderator 2 / January 28, 2013 3:09 AM PST
Oracle's Java Chief Promises to "Fix" Java

Oracle pledged to fix the issues in Java and to improve how it communicates with users.

The database giant will "get Java fixed up" to improve security, Milton Smith, Java security lead at Oracle, said during a conference call with Java User Group leaders last week. The conference call came a few weeks after researchers uncovered various attacks exploiting serious vulnerabilities in Java. Even after the company rushed out an emergency update to patch the flaws, researchers found additional bugs.

"No amount of talking or smoothing over is going to make anybody happy. We have to fix Java," Smith said on the call.

Security experts have long advised users who don't regularly access Websites go ahead and disable Java in their Web browsers. The Department of Homeland Security's Computer Emergency Response Team reiterated the recommendation earlier this month. "This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," according to the CERT advisory. "To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available," CERT wrote.

Continued : http://www.pcmag.com/article2/0,2817,2414751,00.asp

Also: Java fix and better communication needed, says Oracle's Java security head
Post a reply
Discussion is locked
You are posting a reply to: NEWS - January 28, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - January 28, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Yet another Java security flaw discovered - Number 53
by Carol~ Forum moderator 2 / January 28, 2013 4:14 AM PST

The title of this blog is far from unique. Tracking security flaws in Java is like counting grains of sand on a beach.

As I write this on January 27, 2013, the flaw in question is new. It is known by its creator, Adam Gowdiak of Security Explorations, simply as Issue 53.

Before going into detail, let's first put things in perspective.

The last Java flaw garnered a ton of attention, with a typical headline reporting that the Department of Homeland Security told everyone to disable Java. It's not clear why that flaw garnered so much attention. The New York Times reported it as a "rare" warning, but that news was not fit to print. The warning was routine.

In the middle of the last scare, Art Manion and Will Dormann of CERT wrote

"We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers."

Oracle released a new edition of Java (Version 7 Update 11) to fix that problem, very quickly (perhaps an example of what bad publicity can do). But since that fix was issued on January 13th, the bad news for Java has continued to trickle out.


Continued: http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53

* * * * * * * * * * * * * * * * * *

Java's new "very high" security mode can't protect you from malware

"Fix that was supposed to make malware attacks harder can be easily circumvented"

Security researchers have uncovered a newly discovered bug in Oracle's Java framework that allows attackers to bypass important security protections designed to prevent malware attacks.

The security improvements were introduced in Java 7 Update 10, and they came after a spate of in-the-wild attacks exploited fully patched versions of Java. Those allowed crooks to surreptitiously install malware on the computers of unsuspecting people using Java browser plugins. By default, the change required end users to manually allow the execution of Java code not digitally signed by a trusted authority. Users also had the ability to prevent any unsigned Java applet from running at all. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java.

"Unfortunately, the above is only a theory," security researcher Adam Gowdiak wrote on Sunday, referring to the way the protections are supposed to block untrusted code from running on end-user computers. "In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel."

Continued : http://arstechnica.com/security/2013/01/javas-new-very-high-security-mode-cant-protect-you-from-malware/

Collapse -
Big Bank Mules Target Small Bank Businesses
by Carol~ Forum moderator 2 / January 28, 2013 4:37 AM PST

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

The attack on Niles Nursing Inc. provides a textbook example. On Monday, Dec. 17, 2012, computer crooks logged into the company's online banking accounts using the controller's credentials and tunneling their connection through his hacked PC. At the beginning of the heist, the miscreants added 11 money mules to Niles' payroll, sending them automated clearing house (ACH) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.

Continued : https://krebsonsecurity.com/2013/01/big-bank-mules-target-small-bank-businesses/

Collapse -
Trojan uses anti-spam system to keep in touch w/ C&C servers
by Carol~ Forum moderator 2 / January 28, 2013 5:57 AM PST

Most malware is severely crippled if it can't contact the C&C servers from which it receives its instructions and updates, so malware authors are constantly coming up with new ways to thwart firewalls, intrusion prevention systems and local gateways blocking such communication.

The latest innovation in this particular "field" has been spotted by Symantec researcher Takashi Katsuki, who recently discovered a Trojan that uses Sender Policy Framework (SPF) to keep the connection between malware and C&C servers alive and well.

Ironically, the SPF is an email validation system designed to spot email spoofing and, therefore, spam.

"SPF consists of a domain name server (DNS) request and response. If a sender's DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record," explains Katsuki.

Continued : http://www.net-security.org/malware_news.php?id=2387

Browser-hijacking malware talks to attackers using SPF email validation protocol
Cybercriminals Use Anti-Spam System for Communication Between Malware and Server

Collapse -
Google faces legal action in the UK over Safari cookies
by Carol~ Forum moderator 2 / January 28, 2013 5:57 AM PST

A group of Internet users in the U.K. are seeking damages, disclosure and an apology from Google for its alleged undermining of the security settings on Apple's Safari browser to track online usage covertly.

Members of the group, described as informal, have instructed a technology and media law firm, Olswang, to begin action against Google, the group said.

The claims center around tracking cookies, which were allegedly installed in secret by Google on computers and mobile devices of users of the Safari browser, Olswang said in a statement on Sunday. The legal firm has been retained by the group to coordinate claims.

The U.S. Federal Trade Commission said in August last year that Google agreed to pay US$22.5 million civil penalty to settle charges that it misrepresented to users of Safari that it would not place tracking cookies or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC.

Continued : http://www.networkworld.com/news/2013/012813-google-faces-legal-action-in-266174.html

Google faces UK legal action over Apple Safari tracking claims
Google faces UK legal action over Apple privacy concerns

Collapse -
Upswing in Ransomware Activity
by Carol~ Forum moderator 2 / January 28, 2013 5:58 AM PST

From the Symantec Security Response Blog:

As we predicted toward the end of last year, we are once again seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.

In the last week Symantec has observed a new spike in ransomware activity being seen worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is Trojan.Ransomlock.Y. This variant is being distributed through pornographic websites leading to the Impact Exploit kit. Symantec has the following Intrusion Prevention Signatures (IPS) in place for the Impact Exploit kit and is observing a similar telemetry spike around detections of this exploit kit:

• Web Attack: Impact Exploit Kit Website
Web Attack: Impact Exploit Kit Website 2
Web Attack: Impact Exploit Kit Website 3

[Screenshot: Trojan.Ransomlock.Y]

Continued: http://www.symantec.com/connect/blogs/upswing-ransomware-activity

Collapse -
Twitter Says Government Data Requests Rise
by Carol~ Forum moderator 2 / January 28, 2013 5:58 AM PST

Twitter said Monday that worldwide requests from governments about its users rose nearly 20 percent in second half of 2012 as it sought to raise awareness about "invasive" actions.

The popular messaging platform said information requests in the July-December period numbered 1,009, up from 849 in the prior six months.

In launching a revamped "transparency report" modeled after one by Google, Twitter said it hopes the data can be useful to those seeking to keep an open Internet.

"We believe the open exchange of information can have a positive global impact," Twitter legal policy manager Jeremy Kessel said in a blog post marking what activists have dubbed Data Privacy Day.

"To that end, it is vital for us (and other Internet services) to be transparent about government requests for user information and government requests to withhold content from the Internet; these growing inquiries can have a serious chilling effect on free expression -- and real privacy implications."

Continued : http://www.securityweek.com/twitter-says-government-data-requests-rise

Government Appetite Growing for Twitter User Data
Twitter Complied with 69% of US Government Requests for Account Data
Twitter complies with over half of all requests for user data

Collapse -
Google Outlines How it Handles User Data Requests, Pushes..
by Carol~ Forum moderator 2 / January 28, 2013 5:58 AM PST
... for Reforms

In honor of Data Privacy Day, Google this morning offered some more insight into how it handles government requests for your data, and pushed Congress to update an outdated law that covers how the feds can access your information.

Google said it scrutinizes every request carefully to make sure it's in line with its policies. "For us to consider complying, it generally must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law," the search giant said in a blog post.

The info comes several days after Google released an update to its Transparency Report, which included a breakdown, for the first time, of how U.S. government officials requested data from Google about its users: subpoena, search warrants, or court orders.

Overall, user data requests have jumped more than 70 percent since 2009, Google said last week. In total, Google received 21,389 requests for information about 33,634 users in the last six months of 2012, most of which - 68 percent - were subpoenas.

Continued : http://www.pcmag.com/article2/0,2817,2414766,00.asp
Collapse -
Facebook's CPO tackles privacy policy questions
by Carol~ Forum moderator 2 / January 28, 2013 6:07 AM PST

When late last year Facebook changed its Statement of Rights and Responsibilities and Data Use Policy, the social network's users lost their right to vote on future proposed changes, but retained that of commenting on them when they are made public and influencing their final form.

At the time, Elliot Schrage, Facebook's vice president of communications, public policy, and marketing, announced new ways to establish a "meaningful dialogue" between the company and the Facebook community, among which was also a new feature that would let users submit questions to Erin Egan, Facebook's Chief Privacy Officer of Policy.

The feature has finally been launched today (coincidence or not, today is also Data Privacy Day), and can be accessed here.

Users are urged to submit privacy-related questions to Egan by filling out an online form, and she will answer a few of them each month. She has started this month by answering some privacy questions she gets asked on a regular basis.

Continued : http://www.net-security.org/secworld.php?id=14314

Collapse -
Apple updates iOS fixing 27 vulnerabilities and TURKTRUST
by Carol~ Forum moderator 2 / January 28, 2013 8:49 AM PST
... revocation

Apple has released version 6.1 of its iOS operating system that is the brains of millions of iPhones, iPads and iPod Touch devices.

I would consider this to be a critical update, as many of the fixes can be used to remotely compromise your shiny iDevices.

iOS 6.1 is available for users of the iPhone 3GS and later, iPad 2 and later and iPod Touch 4th generation and later. Apparently Apple's advice to users of it's older hardware is "buy new ones".

The vast majority of the flaws were in WebKit, the rendering engine used by Safari to display web content. This isn't surprising as it is a very complicated component.

It is also a very dangerous component to leave vulnerable as it can be attacked by any web page controlled by someone with malicious intent. I would make these updates a priority.

Some of these fixes have been known for some time. A bug in handling Japanese Unicode characters dates back to 2011 and could lead to a cross-site scripting attack.

You could even characterize this update as long awaited as it finally addresses the bad certificates released by TURKTRUST and discovered this past Christmas.

Continued : http://nakedsecurity.sophos.com/2013/01/28/apple-updates-ios-fixing-27-vulnerabilities-and-turktrust-revocation/
Collapse -
Anons hack Asteroids into US DoJ website in Swartz death..
by Carol~ Forum moderator 2 / January 28, 2013 8:49 AM PST

The Anonymous hacking collective attacked a US Justice Department website over the weekend to protest against the prosecution of Reddit co-founder Aaron Swartz.

The hacktivists followed up the initial assault on Ussc.gov, the US Sentencing Commission's website, by planting an easter egg in the form of retro video game Asteroids on the government portal.

As part of its Operation Last Resort, the hacktivist group also released encrypted files supposedly containing state secrets, for which it has threatened to release encryption keys unless the DoJ "reforms".

The miscreants managed to infiltrate Ussc.gov on Saturday morning. They said the break-in was in retaliation against FBI prosecutions against Anonymous members and what it sees as the harsh handling of the Swartz case by the US Justice Dept.

Internet prodigy Swartz killed himself at his New York apartment earlier this month after he faced potentially years in jail for allegedly planning to redistribute articles copied from science journal archive JSTOR; his family accused the prosecution pursuing their son too aggressively.

Continued : http://www.theregister.co.uk/2013/01/28/anon_doj_hack_swartz_protest/

Hackers play Asteroids on US government websites
Anonymous re-hacks US Sentencing site into video game Asteroids
Anonymous defaces US Sentencing Commission site
US Sentencing Commission site down, Anonymous claims responsibility (Updated)
Collapse -
US military to massively increases cyber security personnel
by Carol~ Forum moderator 2 / January 28, 2013 8:49 AM PST

The US Department of Defense is to increase the size of its cybersecurity forces fivefold over the next few years, boosting the department's Cyber Command personnel from 900 to 4,900. Anonymous US officials said the expansion had been approved by the Pentagon at the end of last year, according to a report in the Washington Post.

Those officials noted that attacks, such as the one which wiped data from 30,000 computers at a Saudi Arabian state oil company last summer, had highlighted the gravity of the threat for the Pentagon.

The plan will involve the creation of three forces under Cyber Command. A "national mission force" will focus on US infrastructure, power grids and plants, a "combat mission force" will help commanders plan and execute offensive operations outside the US and "cyber protection forces" will shore up the Defense Department's own network defenses. The plan appears to go further than the cyber strategy plan presented in July 2011.


Pentagon to boost cybersecurity force numbers: report
Pentagon Plans Massive Increase in Cybersecurity Teams
U.S. DoD's cybersecurity force to increase fivefold

Collapse -
Facebook Graph Search Mines Potentially Rich Data for..
by Carol~ Forum moderator 2 / January 28, 2013 8:50 AM PST
... Phishers, Attackers

Facebook is serious about its new Graph Search feature, which helps users of the social media site narrowly search for friends with common interests in a much more intuitive fashion than a Google search, for example. Founder Mark Zuckerberg had tagged Graph Search the third Facebook pillar, right alongside the site's news feed and timeline. So why are security and privacy experts nervous? There's some serious horsepower behind Graph Search, and there are users whose interests aren't as benign as finding friends of friends in a particular location who happen to like country music, fine wine and yoga.

"This is basically a beautiful feature coming from a social engineering point of view," said Christopher Hadnagy, owner of White Hat Defense and founder of socialengineer.org. "I see this as a benefit for social engineers because you're giving them victims; they're not guessing anymore. Usually, a phisher or spammer collects a couple hundred email addresses and they're hoping 10 percent of those who get it have an interest in what the email is about. With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests."

Continued : https://threatpost.com/en_us/blogs/facebook-graph-search-mines-potentially-rich-data-phishers-attackers-012813

Related to Graph Search: How to find single women who like men *and* like getting drunk, with Facebook Graph Search
Collapse -
Facebook Graph Search is made out of people.
by R. Proffitt Forum moderator / January 28, 2013 9:02 AM PST

"Facebook Graph Search is made out of people. They're making our food out of people.
You've gotta tell them. You've gotta tell them! It's people!"

Collapse -
But at what cost?
by Carol~ Forum moderator 2 / January 28, 2013 9:37 AM PST

".......it's hard to look at something like the newly launched Facebook Graph search, and not feel like the whole of your being has been stripped down to ones and zeroes"

"You've gotta tell them! It's people! "

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

CNET Holiday Gift Guide

Looking for great gifts under $100?

Trendy tech gifts don't require a hefty price tag. Choose from these CNET-recommended useful and high-quality gadgets.