15 total posts
Hidden data trick could be malware writer's boon
Security researchers have revealed a new technique that could be used to secretly write data onto a hard drive, with no chance that it could be detected by computer forensic or antivirus tools. It could be the malware writers' next big trick.
The system devised by Ariel Berkman, a data specialist at Israeli recovery firm Recover, relies on writing data to a hard disk's service area - the portion of the disk typically reserved for the manufacturer's firmware.
The data in a hard disk's service area - sometimes termed the reserved area or system area - is typically used to store modules that are needed to operate the drives. It's one of the reasons why hard drives' usable space is lower than the theoretical capacity.
But instructions for writing data to these portions of the hard drive are closely guarded secrets - it requires so-called vendor specific commands (VSCs). "These commands are unique to the hard-drive vendor and are not publicly disclosed," said Berkman.
Nonetheless, Berkman has devised a proof-of-concept program that manipulate these secret VSCs and write a file of up to 94MB on a Western Digital 250GB Hawk hard drive.
Continued : http://www.v3.co.uk/v3-uk/the-frontline-blog/2253176/hidden-data-trick-could-be-malware-writers-boon
The Brazilian Phishing World Cup
From the Kaspersky Labs blog:
The 2014 FIFA World Cup has already kicked off, at least for Brazilian bad guys. Next year's big event in Brazil has become one of the most prominent tactics used by Latin American cybercriminals as they unleash a real avalanche of phishing messages, fraudulent prizes and giveaways, malicious domains, fake tickets, credit card cloning, banking Trojans and a lot of social engineering.
Indeed Brazil figured among the top five countries where users risk being caught 'offside' by phishing attacks, according to a recent study (pdf) conducted by RSA and released in January. The country is in fourth place, along with the UK, USA, Canada and South Africa. So it's no big surprise to find four Brazilian brands in the Top 10 most targeted on PhishTank stats.
Offers range from alleged cash prizes, trips and tickets to watch the games, while the attacks involve massive phishing mailings, and, to add spurious credibility, stars of the national soccer team have been 'signed up' by the conmen. Here's one example featuring Neymar, the latest Brazilian hero to be dubbed the new Pele: [Screenshot]
Continued : https://www.securelist.com/en/blog/208194146/The_Brazilian_Phishing_World_Cup
'TurboTax' Phishing Emails Delivering Zeus Trojan
Tax season is in full swing and cyber-criminals are sending out tax-related emails to infect unsuspecting taxpayers with the Zeus banking Trojan, according to AppRiver.
Emails pretending to come from tax preparation software TurboTax are circulating at "very high volumes," Troy Gill, senior security analyst for AppRiver, wrote on the AppRiver blog. The messages are well-crafted, including the same graphics that TurboTax uses in its emails, as well as linking back to the real website. On first glance, these malicious messages closely resemble the real ones sent by TurboTax, Gill said.
The attack relies on users opening the zip file attached to the message. The zip file begins with the word "TAX" followed by a random number. When downloaded and executed, this variant of the Zeus Trojan collects all the browser cookies, Web history, and Outlook password stored on the computer and installs a backdoor. The "ultimate goal" is to steal banking and credit card credentials, Gill said. All the data are currently being transferred to an IP address located in Malaysia, according to AppRiver.
Continued : http://securitywatch.pcmag.com/none/308915-turbotax-phishing-emails-delivering-zeus-trojan
Australia's central Bank hoses down Chinese hack report
Australia's Reserve Bank has confirmed it has been attacked, after a report in the Australian Financial Review claimed its "... computer networks have been repeatedly and successfully hacked in a series of cyber-attacks to infiltrate sensitive internal information, including by Chinese-developed malicious software".
The Reserve Bank (RBA) is Australia's central bank and has functions broadly comparable to those of the Bank of England or the US Federal Reserve.
The AFR report mentions hacks on France that resulted in several thousand confidential documents supposedly making their way in the general direction of China, but does not say if Australian documents were lost.
The RBA has since issued a statement admitting to detecting attacks but has classified them as mere "virus attacks". Here's what the RBA had to say:
Continued : http://www.theregister.co.uk/2013/03/11/reserve_bank_of_australia_attacked/
Colin Powell's Facebook account has been hacked
Former US Secretary of State Colin Powell is the latest public figure to have fallen victim to hackers, with a series of out-of-character messages posted to his Facebook page. [Screenshot]
But before you jump to the conclusion that only a highly-sophistictaed gang of hackers, backed by an enemy nation, could possibly have had the skills to break into the Facebook account of the man who was Chairman of the Joint Chiefs of Staff during the Gulf War.. think again.
It appears that whoever broke into Colin Powell's Facebook account, didn't do so to steal secrets - but rather in a mischievous attempt to redistribute private photographs and emails previously stolen from the families of former presidents George H.W. Bush George W. Bush. [Screenshot]
Continued : http://nakedsecurity.sophos.com/2013/03/11/colin-powell-facebook-hacked/
Mac malware that infected Facebook bypassed OS X Gatekeeper
"New family of Mac malware masqueraded as printer software."
Researchers have identified the Mac malware that infected employees of Apple, Facebook, and Twitter, and say it may have been used to compromise machines in other US organizations, including auto manufacturers, government agencies, and a leading candy maker, according to a published report.
Pintsized.A is a new family of Mac malware that uses an exploit to bypass Gatekeeper, an OS X protection that allows end users to tightly control which sources are permitted to install apps, according to an article published Monday by The Security Ledger. Mac antivirus provider Intego says the trojan masquerades on infected machines as Linux printing software known as cupsd, although it runs from a different location than the legitimate title. It's unclear exactly how the malware gets around Gatekeeper.
Continued : http://arstechnica.com/security/2013/03/mac-malware-that-infected-facebook-bypassed-os-x-gatekeeper-protection/
Help Keep Threats at Bay With 'Click-to-Play'
Muzzling buggy and insecure Web browser plugins like Java and Flash goes a long way toward blocking attacks from drive-by downloads and hacked or malicious Web sites. But leaving them entirely unplugged from the browser is not always practical, particularly with Flash, which is used on a majority of sites. Fortunately for many users, there is a relatively simple and effective alternative: Click-to-Play.
Click-to-Play is a feature built into both Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari) that blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them. [Screenshot]
To enable click-to-play on Chrome: From the main menu, click Settings, then in the search box type "click to play," and click the highlighted box labeled "content settings." In content settings, scroll down to the "plug-ins" section, and change the default from "run automatically" to "click to play". To enable exceptions so that certain sites (krebsonsecurity.com?) are allowed to load Flash and other content by default, click the "manage exceptions" box. Alternatively, this can be done in Chrome through the address bar: when you browse to a site that has content blocked by the click-to-play feature, an icon will appear on the far right side of the address bar that allows you to add an exception for the current site.
To enable click-to-play in Firefox:
Continued : http://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/
Google Play: Potentially Unwanted
From the F-Secure Antivirus Research Weblog:
Google Play has a problem — and it isn't malware.
Depending on location, Potentially Unwanted Applications (PUA) can be rather difficult to avoid.
Here's a screenshot of User Reviews from a "weather widget" application: [Screenshot]
In English (both U.S. and U.K.), there are eight user reviews. Just eight. Even if you click on a link to "Read All User Reviews".
But if you use the Danish UI... this is one additional review you'll see: [Screenshot]
And it's good that Danes can see it, because the reviewer explains it's a "nice" app that uses push notifications to drop spam ads, one of which presented his ten year-old daughter with an offer to win an iPad. The daughter provided her father's phone number... and it ended up costing 150 Danish Krone (about 26 USD).
Worst of all — this weather widget app is the second result among free apps if Danes search for "vejr".
More popular, and far more reputable, applications such as "AccuWeather" (TM) haven't done Search Engine Optimization for the Danish market and so end up lower in "relevant" results.
Continued : http://www.f-secure.com/weblog/archives/00002521.html
MiniDuke Attack Leveraged IE, Java Exploits
Researchers at Kaspersky Lab and Crysys Lab have discovered two previously-unknown infections mechanisms for MiniDuke, the cyber-espionage malware linked to attacks across the globe.
According to their analysis, the new infection vectors leverage vulnerabilities in Java and Internet Explorer. Specifically, a webpage serves "JavaApplet.class", which implements a Java exploit for CVE-2013-0422. The code of the exploit is similar to the one published in the Metasploit kit, but the inner class that disables the security manager is encoded differently - most likely to avoid detection, explained Igor Soumenkov of Kaspersky Lab in a blog.
Internet Explorer 8 users are targeted using CVE-2012-4792, which was patched in January.
Continued : http://www.securityweek.com/miniduke-attack-leveraged-ie-java-exploits
MiniDuke does not come only via email
New Web-Based MiniDuke Components Discovered
MiniDuke Exploits Java and Internet Explorer Vulnerabilities to Infect Computers
HP, CERT Warn of Critical Hole in LaserJet Printers
Homeland Security's Computer Emergency Response Team is warning today that some printers manufactured by Hewlett-Packard, including 10 of its LaserJet Professional printers, have a security vulnerability that could allow an attacker to remotely access data.
According to CERT, the problem stems from a telnet debug shell glitch that can allow an unauthenticated user to connect to the printer and in turn, glean data. CERT warned of the problem this morning; HP's Software Security Response Team wrote about the problem in a security bulletin last week.
According to the bulletin, HP's following LaserJet Pro printers are vulnerable: P1102w, P1606dn, M1212nf, M1213nf, M1214nfh, M1216nfh, M1217nfw, M1218nfs, M1219nf and CP1025nw.
German security researcher Christop von Wittich with Hentschke Bau GmbH was credited with discovering the flaw.
HP is advising affected customers to download updated firmware for printers impacted by the bug from the company's Support Center site. The company is also encouraging those still concerned with the vulnerability to email email@example.com for further guidance.
Continued : https://threatpost.com/en_us/blogs/hp-cert-warn-critical-hole-laserjet-printers-031113
See Vulnerabilities / Fixes: HP LaserJet Pro Printers Telnet Debug Shell Vulnerability
DIY Steam information harvesting tool sends out mass ..
... malicious invites
Webroot's Dancho Danchev has unearthed a DIY Steam information harvester / mass group inviter tool being offer for sale on a number of cybercrime-friendly underground forums, proving once again that there really is an automated tool for every malicious cyber enterprise you want to engage in: [Screenshot]
To use this tool successfully, all you need to enter is a working Steam Group URL, and it will proceed to fill in everything from associated user names, Steam IDs, service registration date, to installed games, average play time, last login time, and more.
With this information in hand, the cyber crook is ready to approach the users with personalized spoofed mass invites to new games, patches, mods and other inviting offers, and serve them malicious links.
Continued : http://www.net-security.org/malware_news.php?id=2437
Zoosk resets some user accounts following password dump
Dating site Zoosk resets some user accounts following password dump
Zoosk.com, an online dating service with about 15 million unique visitors each month, is requiring some users to reset their passwords. The move comes after someone published a list cryptographically protected passcodes that may have been used by subscribers to the website.
In the past, the San Francisco-based company has said it has more than 50 million users. With this dump, a small but statistically significant percentage of the 29-million-strong password list contained the word "zoosk," an indication that at least some of the credentials may have originated with the dating site. Jeremi Gosney, a password expert at Stricture Consulting Group, said he cracked more than 90 percent of the passwords and found almost 3,000 had links to Zoosk. The cracked passcodes included phrases such as "logmein2zoosk," "zoosk password," "myzooskpass," "@zoosk," "zoosk4me," "ilovezoosk," "flirtzoosk," "zooskmail."
Other passwords contained strings such as "flirt," "lookingforlove," "lookingforguys," and "lookingforsex," another indication that they were used to access accounts at one or more dating websites. Many users choose passwords containing names, phrases, or topics related to the specific website or generic type of service they're used to access. In December, Ars profiled a 25-GPU cluster system Gosney built that's capable of trying every possible Windows passcode in the typical enterprise in less than six hours.
Continued : http://arstechnica.com/security/2013/03/dating-site-zoosk-resets-some-user-accounts-following-password-dump/
Dummy mouse cursors defeat shoulder surfing co-workers
"Japanese system also beats screen capture malware"
Japanese researchers have come up with an ingenious solution to the perennial security problem of shoulder surfing and screen capture malware - make it impossible for co-workers or screen scrapers to see what has been entered by filling the screen with dummy mouse cursors.
The problem being addressed by Japan Science and Technology (JST) Agency was that while dummy keypads used in applications such as online banks work well as a defence against software keyloggers they can still be subverted by screen capturing malware.
They are also in some cases vulnerable to individuals in the same room as the users memorising PIN numbers or passwords as they are entered. To counter this, JST's lateral-thinking solution is to fill the screen in front of a PIN keypad with numerous moving dummy mouse cursors, disguising the user's real cursor in the visual confusion.
Continued : http://news.techworld.com/security/3434428/dummy-mouse-cursors-defeat-shoulder-surfing-co-workers/
Is Software Security a Waste of Money?
Bruce Schneier @ his "Schneier on Security" blog:
I worry that comments about the value of software security made at the RSA Conference last week will be taken out of context. John Viega did not say that software security wasn't important. He said:
'For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove to be valuable and provide a measurable return on investment, but that's probably not the case for smaller enterprises, said John Viega, executive vice president of products, strategy and services at SilverSky and an authority on software security. Viega, who formerly worked on product security at McAfee and as a consultant at Cigital, said that when he was at McAfee he could not find a return on investment for software security.'
I agree with that. For small companies, it's not worth worrying much about software security. But for large software companies, it's vital.
Continued : http://www.schneier.com/blog/archives/2013/03/is_software_sec.html