General discussion

NEWS - April 15, 2010

Identity Theft Ranks Among Consumers' Biggest Concerns, Study Says

"Concerns about ID theft are greater than fears over pandemics, inability to pay bills "

Aside from threats to national security, identity theft is the most acute concern of Americans today, according to a study published earlier this week.

In their bi-annual Unisys Security Index, researchers at Unisys asked more than 1,000 areas about their concerns surrounding security, both physical and online. The top-ranked concern was national security, where 65 percent of individuals described themselves as "extremely concerned" or "very concerned."

Identity theft was the number two concern, with 64 percent of respondents describing themselves as "extremely" or "very" concerned. Sixty-two percent of respondents said they are "extremely" or "very" concerned about credit card fraud.

Forty-three percent of respondents said they are "extremely" or "very" concerned about the security of their online transactions.

Continued here: http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224400319
Discussion is locked
Follow
Reply to: NEWS - April 15, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 15, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Apple Patches Pwn2Own Flaw That Hacked Safari

Apple today shipped a patch to fix the drive-by download vulnerability used by Charlie Miller (left) to hack a fully patched MacBook via the Safari browser.

Miller's hack was part of this year's CanSecWest Pwn2Own contest where Apple's flagship browser fell for the third straight year. In the attack, Miller set up a special Web page with the exploit. Using Safari, a conference organizer surfed to the Web page and watched and Miller took control of the machine.

However, according to Apple's advisory accompanying the patch, the actual vulnerability was not in the Safari browser but in the way ATS (Apple Type Services) handles certain fonts.

Here's the description:

CVE-2010-1120: An unchecked index issue exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved index.

The issue affects Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.3 and Mac OS X Server v10.6.3).

Apple has still not patched the vulnerability used at Pwn2Own to hack into the iPhone and hijack the SMS database.

Continued here: http://threatpost.com/en_us/blogs/apple-patches-pwn2own-flaw-hacked-safari-041410

Also : Apple patch closes Pwn2Own hole in Mac OS X

- Collapse -
DNS Trojan poses as iPhone unlocking utility

"Poisoned Apple"

An application that offers to unlock iPhones is actually designed to hijack internet connections on compromised Windows PCs, security watchers warn.

Spam messages direct potential victims to a domain called iphone-iphone.info that offers links to download a Windows executable called blackra1n.exe. The application claims to offer an unlock utility but instead it changes default DNS settings on infected Windows PCs, hijacking internet connections in the process.

Romanian anti-virus firm BitDefender, which identifies the executable as Trojan-BAT-AACL, explains that the malware comes as a Windows batch file packed alongside the iPhone jailbreaking application.

"The Trojan attempts to change the preferred DNS server address for several possible Internet connections on the users? computers to 188.210.[REMOVED]," BitDefender explains. "This allows the malware creators to intercept the victims? calls to reach internet sites and to redirect them to their own malware-laden versions of those sites."

Continued here: http://www.theregister.co.uk/2010/04/15/iphone_unlocking_trojan_scam/

See Dancho Danchev's post: iPhone Unlocking Themed Malware Campaign Spamvertised

- Collapse -
Researchers warn of malware hidden in .zip files

Security researchers have discovered flaws in common file formats, including .zip, which can be used to sneak malware onto computers by evading antivirus detection.

Eight vulnerabilities were found in .zip, supported by Microsoft Office, along with seven others in the .7zip, .rar, .cab and .gzip file formats, said Mario Vuksan, president of ReversingLabs Corp.

The vulnerabilities could be used by attackers to hide malware that could then be slipped past antivirus software via an e-mail attachment and used to compromise a computer, he said.

"The file goes straight through Gmail or Hotmail because it's a trusted format," he added. "Antivirus software can't see the hidden payload. Once the file is opened the payload (or malware) is on the system."

Vuksan said he and his partners in the research, Tomislav Pericin of ReversingLabs and AccessData Chief Operating Officer Brian Karney, had notified antivirus firms and other security vendors about the holes so they could update their products so they would not be vulnerable to attacks. The three were set to present their findings at the Black Hat Europe conference in Barcelona on Thursday.

Continued here: http://news.cnet.com/8301-27080_3-20002542-245.html

- Collapse -
Dangerous Zips + Responsible Disclosure

From the ESET Threat Blog:

No, I'm not talking about the risks to dangly bits from reckless re-trousering.

At Blackhat Europe in Barcelona today, Mario Vuksan, Tomislav Pericin and Brian Karney have been talking, apparently to a packed house, about vulnerabilities they've found in various compression formats (ZIP, RAR, 7ZIP, CAB and GZIP), as well as their potential for steganographical use or misuse. I don't know yet what vulnerabilities they've found, as they're giving the vendors concerned the opportunity to fix them before going public.

Certainly, there have been many previous attempts to slip malware past antivirus software as a compressed attachment. In the early noughties, I earned the enmity of about 1 1/4 million people in the UK's National Health Service when I put a temporary block on ZIP files at a time when encrypted ZIPs were being heavily used by malware distributors to get past gateway AV and filters. It would, of course, have been much better to restrict blocking to encrypted ZIPs, but the service providers used at that time refused to implement filters to enable that, even though the programming required would have been minimal. Fortunately, most of that malware would be caught on execution by up-to-date signatures or heuristics, but we weren't able to assume that end-sites were properly protected in that environment, since their choice of product and configuration was not centrally regulated.

Continued here: http://www.eset.com/blog/2010/04/15/dangerous-zips-responsible-disclosure

Also See: Security researchers find bugs in commonly used archival formats

- Collapse -
Next-Generation Clickjacking Attacks Revealed

"Researcher at Black Hat Europe will also release new, free tool for executing these attacks "

Tomorrow at Black Hat Europe a researcher will demonstrate a new, powerful breed of clickjacking attacks he devised that can bypass newly constructed defenses in browsers and Websites.

Paul Stone, a security consultant with Context Information Security in the U.K., also will release a browser-based point-and-shoot tool for clickjacking that simplifies these attacks on Web applications and provides researchers visual views of the links, buttons, fields, and data to be targeted by the clickjacking attack.

Clickjacking is where an attacker slips a malicious link invisibly on a Web page or under a button on the site. When the user clicks on the link or moves his mouse over it, he becomes infected. Security researchers Robert "RSnake" Hansen and Jeremiah Grossman two years ago first exposed some of the dangers of clickjacking, and browser vendors like Microsoft have responded to the threat with anti-clickjacking defenses: Internet Explorer 8, for instance, contains a feature that lets Websites safeguard their sites from the attacks with an HTTP header that attaches to the Web pages.

Continued here: http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224400129

- Collapse -
Google & friends back bid to block warrantless email search

"Reinforcements for Yahoo!"

A coalition of civil liberties groups has joined Yahoo! in its bid to block a government attempt to read messages in a Yahoo! email account without a search warrant.

The Department of Justice is seeking the documents in a case that is under seal, and apparently, the agency hasn't notified the account holder of the request, according to the Electronic Frontier Foundation, one of the groups opposing the move. The groups argue that federal law and the Constitution's Fourth Amendment clearly require the government to get a search warrant that's based on probable cause a crime has been committed.

Government attorneys, meanwhile, have said a warrant isn't needed because the emails have already been read. They've also claimed that the unidentified user has no expectation that his emails are private because Yahoo has the technical ability to access them.

"The mere fact that a service provider has the ability to access email messages does not defeat the user's expectation of privacy in their contents, just as the fact that telephone wires lead outside the home does not extinguish the Fourth Amendment rights of those talking over the telephone lines, and just as the fact that one has a roommate or is renting a room does not defeat Fourth Amendment protection in one's home or hotel room," the groups wrote in a friend-of-the-court brief (PDF) filed on Tuesday.

Continued here: http://www.theregister.co.uk/2010/04/14/yahoo_warrantless_email_search/

- Collapse -
Emerging P2P Trojan Botnet Uncovered

From TrendLabs Malware Blog:

News of a new botnet has been circulating recently in the threat landscape. According to reports, several systems have been infected by TROJ_DLOADE.ATJ, which has been built to download and install other malware. The Trojan does not, however, seem to have any distributed denial-of-service (DDoS) capability.

This Trojan may be downloaded when users visit sites under the domain {BLOCKED}m.com or {BLOCKED}n.net. It may also download other malware from the said domain. Once installed, it attempts to connect to the command-and-control (C&C) server using TCP port 8090 to register itself and to wait for commands. It also has the capability to communicate with other bots via some kind of peer-to-peer (P2P) connection over ports 7000?7010. It also connects to specific malicious sites, which are currently inaccessible.

Continued here: http://blog.trendmicro.com/emerging-p2p-trojan-botnet-uncovered/

- Collapse -
Online bookings spur cybercrime in South Africa

An increase in Web bookings for accommodations and tickets for the World Cup in South Africa has spurred local online users to warn about an uptick in cybercrime in the region.

Africa is currently facing an increase in phishing attacks in which criminals try to extract bank account information in order to steal money from unsuspecting bank customers. Meanwhile, South Africa is hosting the World Cup from June to July this year, with millions of people already making online bookings for tickets and accommodations.

South Africa is Africa's second-largest telecom market in terms of investment and subscription while Nigeria, Africa's largest telecom market, is ranked number three in the world in terms of cybercrime. Cybercrime in the region has further increased following the landing last year of Seacom and Teams international cables, which are starting to lower bandwidth and Internet connectivity costs.

Africa is experiencing an explosion of mobile money services as banks and mobile providers compete with customers who would otherwise not have a bank account. This has increased phishing attacks on unsuspecting customers, in efforts to lure them to fake sites and get their bank details.

Continued here: http://news.idg.no/cw/art.cfm?id=F8BA8D87-1A64-6A71-CEF65DDE92D103F4

- Collapse -
Facebook offers security tips for teens, parents

Facebook brings families closer together. But as with any medium, Facebook is sometimes abused, occasionally to damaging effect.

The Facebook Privacy Settings options let you control who has access to your personal information. The page includes a Block List that prevents contact with the people and e-mail addresses you specify without their knowledge. [...]

A welcome addition to Facebook's security arsenal is the new Safety Center that provides information specifically for children, parents, educators, and law enforcement. The Safety for Teens section addresses bullying, public bad-mouthing, and how to report abuse. (If you'd like to remove an unflattering photo posted by one of your "friends," Facebook will do so only if the image violates the service's Statement of Rights and Responsibilities.)

The Safety for Parents section of the Safety Center describes what to do if your child views inappropriate content on a Facebook page, how to help a child report abusive conduct, and how to delete an account of a child under the age of 13. Much of the information in this section parrots the entries on the Safety for Teens page, but it does include links to in-depth articles by Common Sense Media on security for teens online.

Continued here: http://news.cnet.com/8301-13880_3-20002320-68.html

- Collapse -
Yahoo, Feds Battle Over E-Mail Privacy

Yahoo and federal prosecutors in Colorado are embroiled in a privacy battle that?s testing whether the Constitution?s warrant requirements apply to Americans? e-mail.

The legal dust-up, unsealed late Tuesday, concerns a 1986 law that already allows the government to obtain a suspect?s e-mail from an ISP or webmail provider without a probable-cause warrant, once it?s been stored for 180 days or more. The government now contends it can get e-mail under 180-days old if that e-mail has been read by the owner, and the Constitution?s Fourth Amendment protections don?t apply.

Yahoo is challenging the government?s position and defying a court order to turn over some customer e-mail to the feds. Google, the Electronic Frontier Foundation, the Center for Democracy & Technology and other groups late Tuesday told the federal judge presiding over the case that accessing e-mail under 180 days old requires a valid warrant under the Fourth Amendment, regardless of whether it has been read.

?The government says the Fourth Amendment does not protect these e-mails,? Kevin Bankston, an EFF lawyer, said in a telephone interview Wednesday. ?What we?re talking about is archives of our personal correspondence that they would need a warrant to get from your computer but not from the server.?

Continued here: http://www.wired.com/threatlevel/2010/04/emailprivacy/

- Collapse -
A Trojan Adding Malicious Routing Entries

From the Security Response Blog:

Backdoor.Rohimafo is a Trojan that has several back door functions. It not only opens a back door and performs the usual functions but it also can perform some decidedly unusual functions.

It attempts to block users from connecting to remote servers; not only specific servers but also specific network segments by using PersistentRoutes in Windows. PersistentRoutes can be used to add a routing entry to a routing table persistently. The route.exe command can be used to add an entry like the following:

route.exe add -p [NETWORK ADDRESS] [NETMASK] [IP ADDRESS OF GATEWAY] [METRIC]

This Trojan can add routing entries using a network address instead of the IP address of the gateway. Therefore, all packets matching the network address and netmask that are specified by the command are included. Usually threats add entries to the hosts file to redirect IP addresses or hook network APIs and let the connecting API fail. Please see Backdoor.Rohimafo for further information regarding the complete list of network addresses that the Trojan disables.

This Trojan also has functionality to steal passwords; it aims to inject malicious code into not only web browsers, such as Internet Explorer and Opera, but also Java applications and isclient.exe and intpro.exe, which are tools used to protect HTTP connections. So not only are major browsers targeted but web security tools as well.

Continued here: http://www.symantec.com/connect/blogs/trojan-adding-malicious-routing-entries

- Collapse -
Oracle releases Update 20 for Java 6

From Java vulnerability - when lyric sites attack :

...A solution for Java is also at hand ? Oracle has released Update 20 for Java 6 , which reportedly fixes the problem. Certainly the exploit published by Tavis Ormandy no longer works in either Internet Explorer or Firefox after installing the new version. Oracle has reacted with surprising speed. As recently as Friday, Ormandy reported that Sun did not consider the vulnerability to be sufficiently critical to release an emergency patch outside of its three-month patch cycle. Although Oracle did carry out its quarterly critical patch update yesterday, Java was not mentioned.

In its release notes for the Java 6 Update 20, Oracle does not say exactly what has been patched. At first sight it would appear that the vulnerable components are no longer loaded in the browser, i.e. that the actual vulnerability has genuinely been fixed.

However, it seems the Java update does not prevent the exploit from working in all cases. The cause is currently unclear. As an alternative, Internet Explorer users can set a kill bit and disable the ActiveX control responsible by creating a registry key. To prevent the system from being vulnerable, users can place the following text into a file called file-kill.reg and double click the file:

Continued here: http://www.h-online.com/security/news/item/Java-vulnerability-when-lyric-sites-attack-978283.html

- Collapse -
Java Patch Targets Latest Attacks

From Brian Krebs:

Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle?s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

In other news about features in widely installed programs being used as a vehicle to load malware, security experts at M86 Security have spotted a spam campaign aimed at spreading the ZeuS Trojan that exploits a recently-documented feature in at least two different PDF readers. That feature, known as ?launch action,? is intended to be used to run an application or to print a document, but recently it was discovered that this feature could be abused to run malicious programs within PDF files.

Both Foxit Reader and Adobe Reader now warn users if a PDF file tries to invoke this launch action feature, and the alert box will look similar to the one pictured at right. If you use these applications and happen to see one of these alerts, it?s probably a good idea to decline launching the file in question.

From : http://krebsonsecurity.com/2010/04/java-patch-targets-latest-attacks/

- Collapse -
ClamAV 0.94 EOL Reminder

A reader reminded us of the impending April 15 deadline for the support of ClamAV version 0.94 and earlier. ClamAV will be releasing signatures greater than 980 bytes on May 15. ClamAV version 0.94 and earlier will not be able to deal with these. To prevent issues on April 15 there will be a signature released that effectively disables version older than 1 year (version 0.94 and earlier). The application will not start.

Most of you will no doubt already be using a later version, but the product is used in many a gateway and is used as part of a number of commercial appliances. If you are not certain what version you are using, you may wish to do a quick check.

Some more information is here http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/

From : http://isc.sans.org/diary.html?storyid=8635

- Collapse -
Fireshark Plugin Decodes the Malicious Web

A computer security researcher has released a plugin for Firefox that provides a wealth of data on Web sites that may have been compromised with malicious code.

The plugin, called Fireshark, was released on Wednesday at the Black Hat conference. The open-source free tool is designed to address the shortcomings in other programs used to analyze malicious Web sites, said Stephan Chenette, a principal security researcher at Websense, which lets Chenette develop Fireshark in the course of his job.

Hackers often target legitimate Web sites with code that can either infect a machine with malicious software or redirect a user to a bad Web page.

Websense specializes in detecting Web pages that have been infected, as many site administrators don't know that their sites are harmful to visitors or have difficulty reverse-engineering malicious code. Fireshark will "show you the exact details of a mass compromise," Chenette said.

Over the last 12 months, the number of newly compromised Web sites has increased about 225 percent, Chenette said.

Continued here: http://www.pcworld.com/businesscenter/article/194314/fireshark_plugin_decodes_the_malicious_web.html

- Collapse -
Tax Day Freebies

From the F-Secure Weblog:

Google's Online Security Blog had a very interesting post yesterday regarding fake antivirus. Google has been working to protect their users since March 2007, when they first discovered fake AV. (We, and other security vendors, have been writing about the issue of rogues since at least July 2006.)

Google performed a 13 month study and "uncovered over 11,000 domains involved in Fake AV distribution ? or, roughly 15% of the [overall] malware domains" that were detected during the period.

Hopefully the research will be useful in combating the fake antivirus Search Engine Optimization (SEO) attacks that currently plague Google's real-time results.

Today, for example, is April 15th, tax day in the USA. So what happens if you search for "tax day freebies 2010" using Google?

Yep. You'll find rogues and fake antivirus attacks on the first page of results.

Here's a short flash video we made demonstrating the issue: ["tax day freebies 2010" video]

Continued here: http://www.f-secure.com/weblog/archives/00001934.html

- Collapse -
Death of Type O Negative frontman used for Fake AV ...

"Death of Type O Negative frontman used for Fake AV distribution"

The rumor of the death of Peter Steele, Type O Negative frontman, has spread like wildfire through the Net yesterday.

Confirmed by a number of sources, the unfortunate event became, in the meantime, one of the hottest searches on Google. Yes, you've guessed it: the great interest in the news was used to lure unsuspecting victims to webpages where they are in danger of being tricked into downloading and paying for fake AV software.

Here is how the first page of search results for the "Peter Steele Death" search terms looks like: [...]

If you look closely, some links are marked by Google as malicious. Some of those that are not, present the following pages upon having been followed: [...]

Continued here: http://www.net-security.org/malware_news.php?id=1303

Also : Reports of TYPE O NEGATIVE frontman?s death unleash rogue AV

- Collapse -
Romanians hack Daily Telegraph after 'Borat' jibe

"Anger at Top Gear show spills over"

The Daily Telegraph website has been defaced by what appear to be Romanian hackers angry at the newspaper's claimed portrayal of the country.

The previously unknown but publicity-seeking ?Romanian National Security' (RNS) claims responsibility for the defacement which affected two sub-domains used by the Telegraph to advertise third-party services.

Under a Romanian flag, reads a Romanian-language statement translated using Google by security company Sunbelt Software to read:

"We are sick and tired of seeing how some "garbage" like you try to mock our country. [And try] to create [for us] a completely different picture compared to the real one, and calling us "romanian gypsies" [,] broadcast s****y tv programs like TopGear." It remonstrates, referring to disparaging remarks about Romania supposedly made on a BBC TV comedy car show unconnected with the Daily Telegraph.

Continued here: http://news.techworld.com/security/3220541/romanians-hack-daily-telegraph-after-borat-jibe/

From Sunbelt: Subdomains defaced on The Telegraph website

Also: Angry Romanian hackers deface Telegraph for Top Gear toss

- Collapse -
Google: 11,000 domains carrying rogue security products

From the Sunbelt Blog:

Niels Provos of the Google Security Team has blogged about the rise of malicious web sites carrying rogue security products, which the Google team calls ?Fake AV.? Google has been engaged in a constant battle against the sites because the operators who peddle them have been refining their techniques for poisoning Google search engine results in order to victimize Google users by drawing them to malicious download sites.

He wrote: ?we conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months, and the research paper containing our findings, 'The Nocebo Effect on the Web: An Analysis of Fake AV distribution' is going to be presented at the Workshop on Large-Scale Exploits and Emergent Threats (LEET) in San Jose, CA on April 27th.?

He went on to say: ?Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution ? or, roughly 15% of the malware domains we detected on the web during that period.

?Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly.
?

Provos advises Web users not to purchase the rogues when they pop up their persistent, screaming warnings and instead, remove the malicious code from their machines.

Continued here: http://sunbeltblog.blogspot.com/2010/04/google-11000-domains-carrying-rogue.html

As referenced above from the Google Online Security Blog: The Rise of Fake Anti-Virus

- Collapse -
FIFA World Cup bookings spurs cyber crime

"Hackers and criminals target World Cup football fans"

An increase in web bookings for accommodations and tickets for the World Cup in South Africa has spurred local online users to warn about an uptick in cybercrime in the region.

Africa is currently facing an increase in phishing attacks in which criminals try to extract bank account information in order to steal money from unsuspecting bank customers. Meanwhile, South Africa is hosting the World Cup from June to July this year, with millions of people already making online bookings for tickets and accommodations.

South Africa is Africa's second-largest telecom market in terms of investment and subscription while Nigeria, Africa's largest telecom market, is ranked number three in the world in terms of cybercrime. Cybercrime in the region has further increased following the landing last year of Seacom and Teams international cables, which are starting to lower bandwidth and Internet connectivity costs.

Continued here: http://news.techworld.com/security/3220482/fifa-world-cup-bookings-spurs-cyber-crime/

- Collapse -
Google to Index Your Embarrassing Twitter Trail

Billions of Twitter posts will no longer fade into obscurity now that Google is indexing them all in a massive, searchable database.

Google announced a new search feature that lets users look at an entire history of tweets on any subject, in any time frame. The feature will roll out over the next couple of days, but you can see it in action now through a special link (ironically, it didn't work for me in Chrome, but Firefox was fine).[...]

By entering a search term and selecting "Updates" under search options, you can quickly find tweets on that term dating back to February 2010. Google says you'll soon be able to go all the way back to the first Tweet on March 21, 2006.

Twitter status updates never really disappeared with time, they were just difficult to search. Results on Twitter's Web site are displayed chronologically, so going back in time required patience and lots of clicks on the "more" button. Google only showed recent status updates as well. [...]

Continued here: http://www.pcworld.com/article/194232/google_to_index_your_embarrassing_twitter_trail.html

From the Official Google Blog: Replay it: Google search across the Twitter archive

The END about Twitter and/or Facebook for the day !! : Library of Congress Will Save Tweets

CNET Forums