General discussion

NEWS - April 26, 2010

"That's not the lesson!!" Lessons unlearned from the Blippy CC number exposure.

From Errata Security:

If you didn't read about what happened to the social media site Blippy this week, they've explained it better than I will here. Basically 5 credit card numbers were exposed to Google. Two unnamed small banks pushed the number to Blippy's system in a way that is not consistent with any other bank, and therefore Blippy had not accounted for it in their first beta. The issue with these numbers is now resolved, and the question remains, has the damage already been done?

If you didn't read the actual statement from Blippy transparently explaining the problem and how they fixed it, you're not alone. On Twitter especially, there was a flood of retweets exclaiming "I told you so! It's obviously a crazy idea!" without any real information. This company was figuratively set aflame in the eyes of the web. As someone that has studied identity theft extensively, I have been watching Blippy from the beginning, and what I can't stress enough here is "That's not the lesson!" We should NOT be treating this incident as proof that Blippy is a bad idea, because this incident DOESN'T prove that.

Continued here:

Also: Website shares user credit cards with world+dog
Prior Post: Oversharing and a powerful search engine = FAIL
From the CEO/Co-Founder at the Blippy Blog: Blippy Issues, Resolutions, Plan
Discussion is locked
Reply to: NEWS - April 26, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 26, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
McAfee promises to reimburse consumers for bad update

"Will pay 'reasonable expenses' for PC repairs; no word on compensation for business customers"

McAfee will reimburse its consumer customers for "reasonable expenses" they have incurred dealing with last week's faulty antivirus update, the company said.

In a message on its Web site aimed at consumers, McAfee promised to pay for repairs. "If you have already incurred costs to repair your PC as a result of this issue, we're committed to reimbursing reasonable expenses," the company said. "Steps to process your reimbursement request will be posted in the next few days."

There is no similar message on the flawed update help pages dedicated to businesses.

Since last Wednesday, when a McAfee antivirus signature update wrongly identified a critical Windows system file as a low-threat virus, the company has stressed that few consumers were affected. Most of the PCs crippled by the flawed update, McAfee has said, were in corporations.

Some businesses reported that thousands of systems refused to boot properly, had lost their network connections, or both. According to comments added to a blog post by CEO David DeWalt , many were still trying to resuscitate PCs three days into the incident.

Continued here:

(Referenced above) From McAfee's site: McAfee Offers Solution For Home or Home Office Consumers Affected By Faulty Update to Security Software

- Collapse -
Manual Verification of SSL/TLS Certificate Trust Chains ..
Manual Verification of SSL/TLS Certificate Trust Chains using Openssl

This is a blog cross-post from a two-part article published on Taddong's Security Blog .

This week, during my Internet Storm Center (ISC) shift, Firefox 3.6.3 (the latest available version) displayed a digital certificate error when accessing the ISC login page through SSL/TLS: I confirmed this on a couple of Firefox instances running on Mac OS X and Windows XP. [...]

We also got a few reports from ISC readers on the same issue, although other people running the same browser version, and even language (EN), on the same OS platforms, didn't get any error message. Finally, the reason was a new ISC digital certificate had been recently installed, and the required intermediate certificate was missing in some web browsers. As a result, the browser couldn't validate the full digital certificate chain to ensure you were really connecting to the website you intended to connect to.

This is a common scenario on security incidents, where Man-in-the-Middle (MitM) attacks or direct web server breaches modify the SSL/TLS certificate offered to the victim, and when accidentally accepted, the attacker can intercept and modify the "secure" HTTPS channel. As you may find yourself dealing with a similar situation in the future... how can you (as I did) check what is the real reason behind the SSL/TLS certificate validation error? By manually verifying the SSL/TLS certificate trust chain, or certificate hierarchy, through openssl.

Continued here:
- Collapse -
PayPal phishing attack - would you have been fooled?

From Graham Cluley's Blog:

Here's an email I received this morning claiming to come from PayPal, informing me that my account has been suspended because someone has been repeatedly trying (and failing) to access it.

Subject: A high number of failed login attempts have been recorded on your online account..

Message body:
We are sorry to inform you that your PayPal Account has been suspended.

A high number of failed login attempts have been recorded on your online account.

As a security measure we had to temporarily suspend your account. To restore your account we have attached a form to this email.

Please download the form and follow the instructions on your screen.

NOTE: The form needs to be opened in a modern, javascript enabled, browser (ex: Internet Explorer 8, Firefox 3, Safari 3, Opera 9).

We apologize for any inconvenience this may have caused.
Sincerely, the PayPal security team.


- Collapse -
Phishing Attacks Target Twitter Users

From the McAfee Labs Blog:

A new attack on Twitter users has been arriving as spam with a phishing link. It appears as a notification about an unread message from Twitter Support with a subject line such as ?Twit 73-923.? The ending number can vary. The body of the message includes ?You have [some number of] delayed message(s) from Twitter? and a link to a phishing site. [...]

If you receive one of these emails, make sure to check where the link points to before clicking on it. To visit a page such as this (or any page even), it?s much safer to manually type the web address instead of clicking a link in an email. Links can easily be faked! [...]

Users without protection who click on any of these links could infect their PCs or reveal their Twitter credentials.

Continued here:

- Collapse -
iPad Users Targeted by Backdoor Dissembled as iTunes Update

"An e-mail invitation to an iTunes update gets iPad users? PCs into backdoor trouble."

Success stories are cybercriminals? go to sources of victims and the iPad craze couldn?t have been left out of this picture. According to some reports, Apple sold 150.000 iPads in the first 60 hours of presale availability, with almost 100.000 of these coveted devices being pre-ordered in the first 10 hours. The figures make it clear as daylight why malware creators were so keen on crashing this promising party.

The invitation to the ?contagious fiesta? comes via the e-mail: an unsolicited message instructs iPad users to download on their PCs the latest version of the iTunes software as a preliminary step to an update of their iPad software. {Fig. 1 The fake iPad software update announcement]

To carry conviction, the e-mail emphasizes that users should keep their iPad software updated ?for best performance, newer features and security?.

It goes on to clarify the multi-step procedure by pointing out that in order for the update to be performed the latest version of iTunes should first be downloaded from the Internet. A direct link to the download location is conveniently provided. As a proof of cybercrime finesse, the webpage the users are directed to is a perfect imitation of the one they would use for legitimate iTunes software downloads.

Continued here:

- Collapse -
The Stubborn Rogue

From BitDefender's Malware City Blog:

"Rogue antivirus and antispyware utilities have been around for a while, but the cyber-criminals behind this prolific business do not cease to upgrade their weapons."

Trojan.Fakealert.CAW is the latest of its kind. The 1,164 KB package is extremely large for an average piece of malware, but it surely does not want to go unnoticed. After deployment, this rogue AV utility creates its own folder in ?%systemdrive%\Documents and Settings\ All Users\Application Data\? and remains it using an 8-digit random string. In this folder, Trojan.Fakealert.CAW creates a copy of itself under the same random name, as well as a batch file which runs the newly created copy with the ?install? parameter. Afterwards, both the original and the batch files are deleted.

Upon successfully infecting the system, the malware starts popping up alerts informing the user about the installation of the ?Security Tool?, creates shortcuts on the desktop, start-menu and tray icon, sets itself to automatically start-up by creating a new entry in the registry under the key ?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run? with its file path as value. [...]

Continued here:

- Collapse -
Update : Status of Security Update MS10-025 (Re-release)

Last week I posted an item in the News Thread from The Microsoft Security Response Center:

"MS10-025 Security Update to be Re-released "

Jerry Bryant has since updated the information to read:

'I wanted to give customers an update on the status of MS10-025. First, I want to reiterate that this issue affects only Windows 2000 Servers in a non-default configuration: Windows Media Services needs to be installed. Customers who do not have Windows Media Services installed are not affected and were not offered this update.

Shortly after we released the update we received several reports that it did not protect against the vulnerability reported to us. At that time, we pulled the update and notified customers. The main reason for pulling the update was to save a reboot for customers who had not yet installed it. The original issue was missed due to focusing on a variant of the original report early in the investigation. We are addressing this issue and plan to re-release the update next week.

Once we are sure of the exact day the update will be ready for re-release, we will post that information to our Twitter account: @MSFTSecResponse. This will go out as a major revision to the bulletin so there will be no advance notification mailer going out but those who have subscribed to our comprehensive notification service will receive an email when it is released. Subscribe here.

In the meantime, we continue to encourage customers who have Windows Media Services installed on Windows 2000 Server to review the mitigations and workarounds in the bulletin and to apply firewall best practices to reduce exposure.


Jerry Bryant
Group Manager, Response Communications


As referenced above: Microsoft Security Bulletin MS10-025

- Collapse -
Spammers Pay Others to Answer Security Tests

Faced with stricter Internet security measures, some spammers have begun borrowing a page from corporate America?s playbook: they are outsourcing.

Sophisticated spammers are paying people in India, Bangladesh, China and other developing countries to tackle the simple tests known as captchas, which ask Web users to type in a string of semiobscured characters to prove they are human beings and not spam-generating robots.

The going rate for the work ranges from 80 cents to $1.20 for each 1,000 deciphered boxes, according to online exchanges like, where dozens of such projects are bid on every week.

Luis von Ahn, a computer science professor at Carnegie Mellon who was a pioneer in devising captchas, estimates that thousands of people in developing countries, primarily in Asia, are solving these puzzles for pay. Some operations appear fairly sophisticated and involve brokers and middlemen, he added.

?There are a few sites that are coordinated,? he said. ?They create the awareness. Their friends tell their friends, who tell their friends.?

Sitting in front of a computer screen for hours on end deciphering convoluted characters and typing them into a box is monotonous work. And the pay is not great when compared to more traditional data-entry jobs.

Continued here:

- Collapse -
Windows XP Still Less Secure than Win 7 and Vista

Microsoft has released a new Security Incident Report (pdf) --the eighth volume of Microsoft's quarterly overview of computer and network security trends. The report illustrates once again that security can be greatly improved by upgrading to the latest software, and through user education.

The Key Findings Summary (pdf) points out some of the more relevant data discovered over the past three months. Here are some of the highlights:

? The 64-bit versions of Windows 7 and Windows Vista SP2 had lower infection rates than any other operating system configuration in 2H09, although the 32-bit versions both had infection rates that were less than half of Windows XP with its most up-to-date service pack, SP3.

? Domain-joined computers were much more likely to encounter worms than non-domain computers, primarily because of the way worms propagate. Worms typically spread most effectively via unsecured file shares and removable storage volumes, both of which are often plentiful in enterprise environments and less common in homes.

? In Windows XP, Microsoft vulnerabilities account for 55.3 percent of all attacks in the studied sample. (comparing targets of browser-based exploits)

Continued here:

CNET Forums