12 total posts
Oracle Fixed 73 Bugs in April's Critical Patch Update
"Oracle fixed 73 security vulnerabilities across its product portfolio, including six bugs for its database software and 18 bugs in the Oracle Sun product suite."
Oracle on April 19 released 25 security patches that addressed 73 vulnerabilities, of which 36 have been classified as "critical," as part of its quarterly Critical Patch Update. The critical issues may be exploited remotely without requiring a username or password.
April's CPU contained updates to Oracle Database Server11g and 10g, Oracle Fusion middleware, Oracle Enterprise Manager Grid Control, Oracle Siebel CRM, Oracle Industry Applications, E-Business, Supply Chain Products, PeopleSoft, JD Edwards, Open Office and the Oracle Sun product suite.
Oracle addressed six vulnerabilities in the database, two of which were considered critical. The patches apply to server environments, not to client-only deployments where Oracle Database Server was not installed. The Database Server bug fixes affected Application Service Level Management, Database Vault, Network Foundation, Oracle Help, Oracle Security Service, Oracle Warehouse Builder and UIX.
Continued : http://www.eweek.com/c/a/Security/Oracle-Fixed-73-Bugs-in-Aprils-Critical-Patch-Update-847163/
See: Vulnerabilities / Fixes - April 20, 2011
Malware Author Targets Google Chrome
ZDNet's Ed Bott has an example of something I've never seen before: A rogue antimalware attack targeting Google Chrome users. Such attacks are neither difficult nor surprising, and this does reinforce the great truth that the "flying under the radar" approach to security is more about crossing your fingers than actually protecting yourself. [Screenshot]
The attack begins with poisoned search results on both Google and Bing, although this particular poisoning seems to have been cleared out from both engines. It goes on to a fairly standard rogue antimalware attack, but with a twist: It's customized to look like Google Chrome warnings. Ed has a photo gallery with screen shots.
Does this mean that Chrome is no longer safe? Of course not; Chrome is a particularly secure browser (as is, for that matter, IE9). But attacks like this one are the exception, so much so that each one is newsworthy. Attacks that just look like Windows XP and Internet Explorer 6 are commonplace. And a Windows Chrome user might fall for those attacks as well.
Continued : http://blogs.pcmag.com/securitywatch/2011/04/malware_author_targets_google.php
I take you, XPAntiSpyware, to be my...
From the ESET Threat Blog:
One of the most common ways to propagate malware through social engineering is to piggyback it on some attention-catching news event. This can be carried out using a variety of techniques and is certainly nothing new. One infamous example from 2007 was Win32/Nuwar (a/k/a the Storm Worm), which distributed through spam emails with current and/or sensational subjects. As part of an evolution seen in malware, the trends have moved towards spamming popular social networks such as Facebook or Twitter and black hat search engine optimization (BHSEO).
A recent example of the latter was abusing the recent tragedy in Japan, as David Harley commented on here.
Another one which is current these days is the upcoming British royal wedding. When searching keywords relating to this event (e.g., "middleton wedding dress idea") in your search engine, malicious links are among the top results. And the category of malware which sits behind them hardly comes as a surprise - rogue anti-virus apps. [Screenshot] - [Screenshot]
This particular variant is detected by ESET as Win32/Adware.XPAntiSpyware.AB.
Anger after scam-exposing community shut down by Facebook
n a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down... by Facebook.
The Bulldog Estate is one of a number of different resources on the internet dealing with the subject of Facebook scams, rogue applications, and the like. Other examples include Scam Sniper, FaceCrooks and Sophos's own Facebook community. [...]
Later that day, the same fate befell The Bulldog Estate's Facebook presence, leading the scam-exposing site to say that Facebook had made a bad PR move: [...]
The Scam Sniper Facebook page was eventually restored, but Tony Mazan, the owner of The Bulldog Estate, hasn't had the same luck.
Mazan has been contacting Facebook since Monday attempting to understand why The Bulldog Estate's Facebook page was closed, and how it might be recovered.
Today Mazan received a standard response from Facebook, which still wasn't specific about the reasons that The Bulldog Estate's Facebook presence had been killed off:
On Monday 18th April, the Facebook page belonging to Scam Sniper was shut down by Facebook authorities:
Continued : http://nakedsecurity.sophos.com/2011/04/21/anger-after-scam-exposing-community-shut-down-by-facebook/
Amazon Cloud Outage Takes Down Reddit, Quora, More
A number of well-known Web sites and online services were completely unavailable earlier today due to problems with Amazon EC2 (Elastic Compute Cloud) and Amazon Web Services.
Foursquare, Reddit, Hootsuite, and Quora were among the largest and most visible sites affected.
Amazon EC2 is a service that provides processing power and storage to Web sites and businesses via the cloud. Amazon EC2 is part of the larger Web Services division of Amazon, which provides other business solutions as well, including networking, database provision, and payment and billing.
While many North American consumers slept through a large part of the outage, which started early on Thursday, Web users on other continents experienced the downtime during peak business hours. Some services seem to have been restored around 10:30 a.m. Eastern time.
During the downtime, Foursquare was able to post an apology on its homepage, explaining there was a problem with an otherwise reliable service. Reddit's reaction was a lot more direct. It sent a public message via Twitter to Amazon CTO Werner Vogels reading, "@werner @reddit has been down for 5.5 hours now. Please tell them to fix our volumes. Thanks."
Reddit.com is now live, though a notice on the site reads, "Amazon is currently experiencing a degradation. They are working on it. We are still waiting on them to get to our volumes. Sorry."
Continued : http://www.pcmag.com/article2/0,2817,2383910,00.asp
Also: Amazon experiencing troubles with cloud servers, Reddit and Quora among affected sites
Russian Media: Kaspersky?s son feared kidnapped
One of the smartest men in the security world is facing every parent's worst nightmare, if media reports are to be believed. Ivan Kaspersky, 20, the son of Kaspersky Lab co-founder Yevgeny (Eugene) Kasperky, is said to have been taken in the north-west part of Moscow Tuesday, while on his way to work.
Lifenews (TRANSLATION) broke the story on Thursday. According to reports, law enforcement has been searching for Ivan for the last 48-hours.
The same day he was taken, the paper reported that the kidnappers contacted his father, Eugene Kaspersky, and demanded a ransom of ?3 million Euros. Shortly after the call, he returned to Moscow from London.
The company where Ivan works, InfoWatch, somewhat confirmed that he was taken right outside of the office, but no other details are known. Local law enforcement, as well as the Secret Service and the Criminal Investigation Department are following leads.
Kaspersky Labs has neither confirmed nor denied the kidnapping.
As more details emerge, we'll update this story.
(4-21-11) 12:48 p.m. EST
Graham Cluley of Sophos made an interesting observation in his blog post on the reported tragedy.
"The odd thing is, I chatted to Eugene Kaspersky at about 6pm in London last night, and he seemed his normal jolly self. In fact, he tried to lure me into having a quick drink with him and we posed for a couple of goofy photographs together.
"Furthermore, a contact at Kaspersky's company tells me that they knew nothing of any problems involving Kaspersky's son, and that Eugene's plan was always to fly back to Moscow last night.
"Of course, it's possible that Kaspersky only discovered his son was in danger as he travelled to the airport, but we should perhaps not read too much into the timing of Eugene's flight out of London."
Like Sophos, we too are hoping that there is some confusion and that the reports of Ivan's kidnapping are a severe misunderstanding.
BBC: Russian software tycoon Kaspersky's son 'missing'
Michigan State Police responds to ACLU?s data extraction
The Michigan State Police has responded to the ACLU, after they claimed the law enforcement agency was secretly extracting information from cell phones during traffic stops. In addition, the agency also commented on the ACLU's attempts to learn more about the handheld devices used by the troopers.
For nearly three years, the ACLU has attempted to get the Michigan State Police (MSP) to answer questions over their use of CelleBrite's UFED Physical Pro scanner. The handheld device allows police to extract data from phones and SIM memory. In addition to the normal information, such as contact lists, email, and text messages, the UFED is also able to recover hidden and deleted data.
In a letter sent to the MSP, the ACLU remarked that troopers were able to access the mobile devices without the owner being aware. Expressing concern that the UFED device makes data collection too easy, the letter concluded that there is a risk troopers might ignore the Fourth Amendment if they have access to them.
"?Additionally, if racially disproportionate incarceration rates in this state are the result of racially disproportionate contact with law enforcement officers, then there is reason to be concerned that Michigan residents of color are more likely to have their cell phones searched by Michigan State Police." [ACLU Letter - PDF]
Continued : http://www.thetechherald.com/article.php/201116/7094/Michigan-State-Police-responds-to-ACLU-s-data-extraction-claims
Michigan Police Deny Secretly Extracting Mobile Data During Traffic Stops
Michigan State Police Denies Unconstitutional Use of Phone Forensics Device
Related to: Is Smartphone Security Good Enough?
Skype for Android update closes privacy vulnerability
The latest update to Skype for Android addresses a security vulnerability in the app that could have allowed a malicious third-party application to access locally stored files. According to a post on the Skype Security blog by Chief Information Security Officer Adrian Asher, these files include cached profile information and instant messages.
In a later post, Asher notes that Skype has "had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices," adding that the company will continue to monitor the situation closely. All versions prior to 22.214.171.1243 are reportedly affected.
In addition to addressing the above security problem, the update also enables calling over 3G for all users, such as those in the US that were previously prevented from doing so. All users are advised to upgrade to the latest version.
Continued : http://www.h-online.com/security/news/item/Skype-for-Android-update-closes-privacy-vulnerability-1231995.html
Also: Skype plugs Android privacy flaw
Microsoft provides certificate forBPOS-Federal service suite
Microsoft has produced a FISMA certificate for its Business Productivity Online Suite (BPOS-F) allowing it to receive the Authorisation To Operate (ATO) required so that it can be used by US authorities. Shortly after the successor to BPOS, Office 365, went into open beta testing the company provided the certificate which will allow for the use of its services including SharePoint Online, Exchange Online, and Office Communications Online as applications for public officials. Without the ATO, US officials cannot assume that a program package or service suite is sufficiently secure for its needs and are therefore not allowed to use it. Nevertheless, it seems that Microsoft had already won over the US Department of Agriculture as a customer for BPOS even before receiving certification; the DOA is providing its 120,000 staff members with access to Microsoft's cloud services.
On its US website for software for public officials, Microsoft heavily promotes Office 365. While the company has announced that it will address FISMA certification for this new suite immediately after it is launched, but BPOS-F itself shows how much ground has to be made up in certification after such a product is released. The Lync Server long ago replaced one part of the suite, Office Communication Server, in Microsoft's catalog for non-government customers, but OCS still has to be used in BPOS-F as it is the most modern communication server with certification.
Continued : http://www.h-online.com/security/news/item/Microsoft-provides-certificate-for-BPOS-Federal-service-suite-1231745.html
Actually, iPhone sends your location to Apple twice a day
From the F-Secure Weblog:
Forensic researcher Alex Levinson has discovered a way to map out where an iPhone has been. The information comes from a location cache file found on an iPhone (Library/Caches/locationd/consolidated.db).
In practice, this file contains your travel history. [Screenshot]
It should be noted that this file can't be accessed by third-party apps on an iPhone, as you need root rights to reach it. However, the file is copied to your PC or Mac during standard iPhone sync operations and is accessible from there.
Yesterday, security researchers Pete Warden and Alasdair Allan released an application that can take such a file and show your movements on a map.
Now, this sounds bad from a privacy viewpoint. For example, authorities could gain a court order to do a forensic examination on your phone to figure out where you've been.
But why is Apple collecting this information to begin with? We don't know for sure. But we're guessing it's likely related to Apple's global location database.
Like Google, Apple maintains a global database of the locations of Wi-Fi networks. They use this to get an estimate of your location without using GPS. For example, if your handset sees three hotspots which have MAC addresses that Apple knows are within a certain city block in London, it's a fair bet you're in that city block.
We know how Google collected their location database: they recorded them world-wide while they had their Google Maps Street View cars driving around the globe.
Where did Apple get their location database? They used to license it from a company called Skyhook. How did Skyhook obtain this information? Well, they had their own cars drive around the world, just like Google.
Continued : http://www.f-secure.com/weblog/archives/00002145.html
One-Fourth Of SSL Websites At Risk
More than a year after the Internet Engineering Task Force (IETF) issued a security extension to the Secure Sockets Layer (SSL) protocol for a flaw that affects servers, browsers, smart cards, and VPN products, as well as many lower-profile devices such as Webcams, more than one-fourth of SSL websites haven't deployed the patch--leaving them vulnerable to a form of man-in-the-middle attack.
Of the 1.2 million SSL-enabled website servers recently surveyed by Ivan Ristic, director of engineering at Qualys, more than 25 percent were not running so-called secure renegotiation. Ristic also found that among 300,000 of the top one million Alexa websites, 35 percent were vulnerable to this type of attack, which basically takes advantage of a gap in the SSL authentication process and lets an attacker wage a MITM attack and inject his own text into the encrypted SSL session. The gap occurs in the renegotiation process, when some applications require that the encryption process be refreshed.
The IETF teamed up with the Industry Consortium for the Advancement of Security on the Internet, and several vendors, including Google, Microsoft, and PhoneFactor, and came up with a fix for SSL, known as Transport Layer Security (TLS) in the IETF standard. The fix -- Transport Layer Security (TLS) Renegotiation Indication Extension -- was issued in January of 2010 by the IETF.
Continued : http://www.darkreading.com/authentication/167901072/security/vulnerabilities/229402059/one-fourth-of-ssl-websites-at-risk.html