Spyware, Viruses, & Security forum

General discussion

NEWS - August 05, 2010

by Carol~ Moderator / August 4, 2010 7:51 PM PDT
Cloud-Based Denial Of Service Attacks Looming, Researchers Say

"Two consultants use a handful of virtual servers in Amazon's EC2 cloud to take down an SMB's network "

LAS VEGAS, NEVADA -- DEFCON 2010 -- With the help of the cloud, taking down small and midsize companies' networks is easy, two consultants told attendees here last week.

With a credit card and e-mail address, security consultants David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual server instances on Amazon's EC2 and used a homemade program to attack the network of a client -- a small business that wanted its connectivity tested.

With only three servers -- although they eventually scaled up to 10 -- the consultants took the company off the Internet. The price? Six dollars.

"A threat agent could potentially run extortion schemes against a company by attacking for a couple of hours -- and then telling the company that, if you don't pay me, then I will attack you again," Bryan said.

It's surprising how easy it is to block a company's lifeblood connection to the Internet, the consultants said. To set up an account on Amazon EC2, there are no special bandwidth agreements or detection of servers taking malicious actions, they claimed. Moreover, complaints to Amazon by the client apparently went unanswered.

"We never got a response from Amazon," Anderson said. "We haven't gotten a call; we never got an email."

Continued here: http://www.darkreading.com/smb-security/security/perimeter/showArticle.jhtml?articleID=226500300
Discussion is locked
You are posting a reply to: NEWS - August 05, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - August 05, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Researchers Throw Down Vulnerability-Disclosure Gauntlet
by Carol~ Moderator / August 4, 2010 8:42 PM PDT
In reply to: NEWS - August 05, 2010

"TippingPoint's Zero Day Initiative (ZDI) program institutes deadline of six months for vendors to fix bugs -- or else the bugs get published "

First it was Google drawing a line in the sand with a 60-day deadline for vendors to fix vulnerabilities it finds in their products before going public. Now it's TippingPoint's Zero Day Initiative (ZDI), which officially announced today it has set a six-month time frame from when it reports a bug to a vendor until it goes public with it.

ZDI, which historically has worked with vendors in not disclosing any bugs it finds until they patch them, says some vendors are getting a little too comfortable with that open-ended agreement. ZDI has 31 high-risk vulnerabilities on its docket that have been awaiting patches for more than a year: "We have some bulletins that are 3 years old," says Aaron Portnoy, manager of security researcher for ZDI. "The longer we sit on these, the longer people are exposed to [the threats]. Letting vendors take as much time as they needed, they took more time than they needed ... and there were no repercussions for them, but more work for us."

Aside from Google and now ZDI, Rapid7 also recently set a deadline for bug disclosures of 15 days: If a vendor hasn't patched it by then, Rapid7 reports the bug to CERT, which gives vendors 45 days to patch from the initial report date before it goes public.

But Microsoft has stood firm in its refusal to place a timetable on when it issues patches for reported bugs. Mike Reavey, director of Microsoft Security Response Center, contends that patch deadlines aren't the answer because it's not a "one-size-fits-all" time frame for fixing vulnerabilities -- some just take longer to fix than others. It's a delicate balance between quality and timeliness given that Microsoft puts the patches through a hefty testing process before issuing them, he says.

Continued : http://www.darkreading.com/vulnerability_management/security/vulnerabilities/showArticle.jhtml?articleID=226600023

As Originally Reported : Vulnerability Broker Draws Line in Disclosure Sand

Collapse -
Facebook Privacy Extended to Mobile Users
by Carol~ Moderator / August 4, 2010 8:42 PM PDT
In reply to: NEWS - August 05, 2010

"All of Facebook's privacy settings are being rolled out to users surfing the site with mobile phones."

Facebook is extending its privacy controls to its mobile users.

The company announced today all of its privacy settings will now be available to users on any browser-based mobile device.

"As of today, you can use these controls no matter where you are, what kind of device you have access to, or when you want to make a decision about your information," blogged Michael Eyal Sharon, mobile product manager at Facebook.

The new controls can be accessed by navigating to m.facebook.com/privacy or by going to the 'Settings' page and clicking the "Change" link next to the words ?Privacy Settings.? From there, users can select who can view the content they post, read through the site?s privacy guide and fully customize their settings.

Facebook updated its privacy controls earlier this year amidst calls by critics to simplify its settings.

?As mobile devices have become more sophisticated and widespread, we've noticed that people are creating content and accessing Facebook at every moment of the day, in many locations?not just from desktops,? Sharon wrote.

Continued here: http://www.eweek.com/c/a/Security/Facebook-Privacy-Extended-to-Mobile-Users-613237/

Also : Facebook gets mobile privacy

Collapse -
Creditcard multiphishing with malware
by Carol~ Moderator / August 4, 2010 8:42 PM PDT
In reply to: NEWS - August 05, 2010

The Avira Techblog:

We have started to see a new phishing method in the wild.

It is the first time that we see that a single email contains two phishing URLs, targeting two financial institutions: VISA and Mastercard. Even more, the email is targeted to the German speaking credit card users, as it is being written in German only (at the moment of writing this article).

The email is very well crafted though the German used isn?t the best, and is being sent in HTML form (with a plain text part, too). The email appears to be sent from a legitimate company called CCRD Operating Company, Inc. which owns the domains CreditCard.com and CreditCards.com. In reality, the email is sent from a bot running on an infected computer having a dynamic IP address. [[url-http://techblog.avira.com/wp-content/uploads/2010/08/multiphish-300x231.png]Screenshot of Email]

The URLs and the Websites

The target URLs are having a special format: http://host1/ verification/?page=mastercard_de and http://host2/ verification/?page=visa _de. The two hosts work with both tags, so if you interchange mastercard_de with visa_de, you will be redirected to the ?correct? fake website. This phishing operation is using multiphishing also in the back-end, having one web application serving more than one website.
[Screenshot of Fake - Visa]

In the bottom of the page there are some links which can?t be visited unless all information in the form are correctly filled.

Continued here: http://techblog.avira.com/2010/08/04/creditcard-multiphishing-with-malware/en/

Collapse -
2010 Tax-Themed Malicious Emails
by Carol~ Moderator / August 4, 2010 8:42 PM PDT
In reply to: NEWS - August 05, 2010

From Websense Security Blog:

Websense Security Labs? ThreatSeeker? Network has detected a wave of tax-themed malicious email. While the tax theme in spam email is common all year round, it is interesting to see the different strategies malicious authors use in their campaigns.

We have seen reports last June about email with the subject "Notice of Underreported Income". Today, we have seen a couple of email having the same subject but with different attack strategies.

The first sample below uses a malicious link just like those distributed earlier. Unlike earlier malicious email, which redirects to a fake IRS site that instructs the user to download a malicious file (tax-statement.exe), this link saves the victim a couple of clicks by prompting to download a file (adobe_flash_install.exe) immediately without going to a fake IRS site. [Screenshot]

Payload : [Screenshot of Payload]

The second sample below is more aggressive in that the malicious zip [MD5:dfbb95730b2377cccf8372107bdef503] is attached in the email. It is recognized by 1/42 AV engines via VirusTotal.

Continued : http://community.websense.com/blogs/securitylabs/archive/2010/08/04/2010-Tax_2D00_Themed-Malicious-Emails.aspx

Collapse -
Shocking video of a girl attacked by a shark? OMG ..
by Carol~ Moderator / August 4, 2010 10:22 PM PDT
In reply to: NEWS - August 05, 2010

"Shocking video of a girl attacked by a shark? OMG - it's a colourful clickjack attack"

From Graham Cluley's Blog at Sophos:

Hot on the heels of other recent scams spreading virally across Facebook, we're now seeing another - this time posing as a link to an alleged shocking video of a girl being attacked by a shark.

Thousands of messages have been posted by Facebook users reading:

'OMG The Most Shocking Video Caught On Camera Girl Being Attacked By A Shark' [Screenshot]

If you click on the link you are taken to a Facebook page which fools you into believing you are about to watch a video. All you need to do (they say) is click on the red button and the blue button. [Screenshot]

And now you're a fan of that page they're free to send your updates and messages, and potentially spam you or send you malicious links. What's worse - you've endorsed the page and shared it with your online mates.

All because you wanted to watch a shocking video of a girl being attacked by a shark.

In just the time it's taken me to write this blog post, some 1000 more people have agreed to "like" this page. I wonder how they would feel if they realised they had been scammed into helping the bad guys spam out their link?

Continued here: http://www.sophos.com/blogs/gc/g/2010/08/04/shocking-video-girl-attacked-shark-omg-colourful-clickjack-attack/

Collapse -
Attack of the Twitter babes - Tweets that ain't so sweet
by Carol~ Moderator / August 4, 2010 10:23 PM PDT
In reply to: NEWS - August 05, 2010

From Graham Cluley's Blog:

As we discussed in our latest update to the Sophos Security Threat Report, cybercriminals continue to exploit social networks - spreading spam, malware, and stealing identities.

The latest spam campaign we've seen on Twitter involves a bevy of beauties. Here are just a small number of the profiles I have seen, all with images of young attractive women (and/or in a state of undress): [Screenshot]

All of them have recently created Twitter accounts (the last week or so), and all of them are tweeting identical messages pointing users to a service called Tweet Attacks - which encourages you to buy a program that, it says, will help you make money via Twitter.

I don't know what the Tweet Attacks program does, but if it's in any way involved in this spam campaign I would stay far away. If you want more followers on Twitter there's a very simple, tried-and-trusted, method: tweet something that other people might find interesting.

Continued here: http://www.sophos.com/blogs/gc/g/2010/08/05/attack-twitter-babes-tweets-sweet/

Collapse -
New certifications will set high bar for IT security pros
by Carol~ Moderator / August 5, 2010 12:44 AM PDT
In reply to: NEWS - August 05, 2010

A new non-profit group is developing certifications for information technology security professionals that will set a high bar for IT security practitioners in areas like penetration testing, code auditing and control systems operation.

The National Board of Information Security Examiners (NBISE) is a new, not-for-profit corporation headed by former NERC (North American Electric Reliability Corporation) CSO Mike Assante and overseen by a board of luminaries in the world of information security and critical infrastructure. The group will be designing certification exams to test the knowledge, practical skill and professionalism of IT security practitioners, with an eye to weeding out the information technology world?s equivalent of quacks and hucksters.

The new tests are designed to supplant a hodge podge of private and industry certifications for IT security practitioners, including the CISSP and certificate programs run by the SANS Institute and other industry and private groups. NBISE claims that too many of those tests test knowledge, rather than hands-on skills required of practitioners.

The new tests are designed to supplant a hodge podge of private and industry certifications for IT security practitioners, including the CISSP and certificate programs run by the SANS Institute and other industry and private groups. NBISE claims that too many of those tests test knowledge, rather than hands-on skills required of practitioners.

?This is about a higher level of testing,? said NBISE Director and SANS Institute Director of Research Alan Paller. ?Its about having confidence that the person you hired doesn?t just know the answer, but can do the job.?

Continued here: http://threatpost.com/en_us/blogs/new-certification-group-aims-set-high-bar-it-security-pros-080510

Collapse -
For Kevin Mitnick, staying legal is job one
by Carol~ Moderator / August 5, 2010 6:13 AM PDT
In reply to: NEWS - August 05, 2010

Kevin Mitnick was eager to participate in a social-engineering contest at the Defcon hacker conference in Las Vegas last weekend and was told he would target Microsoft in the event.

He figured it would be fun to show off his schmoozing skills, which he so easily used to trick employees at tech companies in the 1990s into handing over passwords and other sensitive information, ultimately landing him in jail.

But when he called his attorney to run it past him, the response was "Are you crazy?!"

Mitnick's lawyer, who declined to be interviewed, advised his most famous client that wire fraud statutes can be broadly interpreted such that any interstate commerce (phone calls) conducted to defraud someone, even if it is part of a contest, could be construed as a violation, according to Mitnick.

Mitnick was able to get source code and other sensitive data from companies using social engineering, a hacking technique that involves simply tricking people into offering up sensitive information, rather than technical means. He was arrested in 1995 and pleaded guilty to wire and computer fraud charges. He was released from prison in 2000 and got off supervisory release in January 2003.

Continued here: http://news.cnet.com/8301-1009_3-20012722-83.html

Collapse -
How ISPs Can Help Fight Botnets And Cybercrime
by Carol~ Moderator / August 5, 2010 6:13 AM PDT
In reply to: NEWS - August 05, 2010

From TrendLabs Malware Blog:

Cybercrime is a day-to-day reality for anyone using the Internet ? whether for email or web surfing, all Internet users are potentially at risk.

Botnets are the tool of choice for distributing malware, perpetrating attacks, and sending slews of spam email. Through these botnets, botnet herders (the cybercriminals behind the botnets), earn millions of dollars in money stolen from innocent computer users.

These cybercriminals buy and sell, build partnerships, and rent services just as above-board business would; the main difference being the legitimacy and legality of the products, solutions and services they handle. The quantity of spammed messages distributed via botnets is astronomical. Spam continues to be a vector of choice for criminals owing to the speed of distribution and delivery, the vast target list and relatively low cost of investment when compared to the profit on offer.

As an example of how and why the issue of spam is now overwhelming, according to Trend Micro research, spam now accounts for around 97% of all email(PDF) in circulation. In a recent laboratory controlled investigation, the quantity of spam generated by a single bot infested computer in a 24 hour period totaled around 2,553,940.

What can be done about it, and who can effect a change?

According to a recent the 2010 Consumer Survey, published by MAAWG (the Messaging Anti-Abuse Working Group), 65 percent of respondents felt ISPs and ESPs should bear most responsibility for stopping spam, computer viruses, fraudulent email, and spyware.

Continued : http://blog.trendmicro.com/how-isps-can-help-fight-botnets-and-cybercrime/

Collapse -
Microsoft to set record with next Patch Tuesday
by Carol~ Moderator / August 5, 2010 7:27 AM PDT
In reply to: NEWS - August 05, 2010

"14 patches, eight critical"

Microsoft's security patch release scheduled for next week will include a record number of bulletins that fix dozens of vulnerabilities in several of its products, the company said on Thursday.

The next Patch Tuesday, scheduled for August 10, will include 14 bulletins, eight of which are rated critical, Microsoft's highest severity classification, generally reserved for bugs that can be exploited to remotely execute malware on vulnerable systems with little or no interaction on the part of the end user. Six of those bulletins apply to Windows, another one applies jointly to Windows and Silverlight and the last to the Office suite.

The remaining bulletins are rated important, and apply to Windows and Office. In all, the 14 bulletins patch 34 vulnerabilities.

?For those who keep track of such things, this will be the most bulletins we have ever released in a month; we have released 13 bulletins on a couple of occasions,? Angela Gunn, a new member of the Microsoft Security Response Center blogged. ?However, in total CVE [Common Vulnerability and Exposure] count, this release ties with June 2010, so there's no new record there.?

There are no reports any of the vulnerabilities are being exploited. Yes, a reboot is required for many of the patches.

Continued here: http://www.theregister.co.uk/2010/08/05/microsoft_august_2010_patch_tuesday/

Microsoft slates record-setting monster Patch Tuesday next week
Microsoft to Release Most Patch Tuesday Bulletins Ever

Collapse -
Adobe plans emergency patch for critical Reader bug
by Carol~ Moderator / August 5, 2010 7:28 AM PDT
In reply to: NEWS - August 05, 2010

"Adobe plans emergency patch for critical Reader bug"

Adobe plans to release an emergency update patching a critical vulnerability in its ubiquitous Reader application that was disclosed at last week's Black Hat security conference in Las Vegas.

The fix will be made available during the week of August 16 for Windows, Mac OS X, and Unix versions of Adobe Reader 9.3.3, company officials said on Thursday. It will patch a hole that security researcher Charlie Miller disclosed during a talk demonstrating a tool called BitBlaze, which streamlines the analysis of crash bugs. Adobe has rated the vulnerability as critical because it can be exploited with little user interaction to remotely execute malicious code on a targeted system.

The announcement suggests that Adobe's security team is getting faster at responding to reported vulnerabilities. Over the past year, Reader has seen a string of unpatched vulnerabilities that have taken weeks to patch, even when the bugs are actively being exploited in the wild. And even then, updates often were available only for Windows, forcing Mac and Unix users to wait weeks for their patches.

Adobe has also pledged to add a security sandbox to the next major upgrade of Reader, a feature designed to mitigate the damage hackers can cause when software bugs are discovered.

Continued here: http://www.theregister.co.uk/2010/08/05/emergency_adobe_reader_patch/

See: Out-of-band Security Updates for Adobe Reader and Acrobat

Collapse -
What?s in a (rogue) name? VirusTotal 2010
by Carol~ Moderator / August 5, 2010 7:40 AM PDT
In reply to: NEWS - August 05, 2010

From the Sunbelt Blog:

There is a well-respected and very useful site that everyone in the anti-virus industry uses ? sometimes several times a day: Virus Total. You can upload suspicious files or their check sums to Virus Total to see if a file is malicious. The makers of a new rogue have picked up on the Virus Total name in an effort to make their malicious creation look like something legitimate: [Screenshot]

What it tries to download is detected as FraudTool.Win32.FakeRean (fs).

Here?s what the real Virus Total site looks like. It basically runs your code sample or check sum against 41 anti-virus engines and displays the resulting detections. [Screenshot]

As Posted Here: http://sunbeltblog.blogspot.com/2010/08/whats-in-rogue-name-virus-total-2010.html

Collapse -
Crimepack: Packed with Hard Lessons
by Carol~ Moderator / August 5, 2010 8:29 AM PDT
In reply to: NEWS - August 05, 2010

Exploit packs ? slick, prepackaged bundles of commercial software that attackers can use to booby-trap hacked Web sites with malicious software ? are popular in part because they turn hacking for profit into a point-and-click exercise that even the dullest can master. I?ve focused so much on these kits because they also make it easy to visually communicate key Internet security concepts that otherwise often fall on deaf ears, such as the importance of keeping your software applications up-to-date with the latest security patches.

One of the best-selling exploit packs on the market today is called Crimepack, and it?s a kit that I have mentioned at least twice in previous blog posts. This time, I?ll take a closer look at the ?exploit stats? sections of a few working Crimepack installations to get a better sense of which software vulnerabilities are most productive for Crimepack customers.

Check out the following screen shot, taken in mid-June from the administration page of a working Crimepack exploit kit that targeted mostly German-language Web sites. This page shows that almost 1,800 of the nearly 6,000 people who browsed one of the stable of malicious sites maintained by this criminal got hacked. That means some software component that 30 percent of these visitors were running either in their Web browsers or in the underlying Windows operating system was vulnerable to known software flaws that this kit could exploit in order to install malicious software.

Continued here: http://krebsonsecurity.com/2010/08/crimepack-packed-with-hard-lessons/

Collapse -
Google and Verizon Near Deal on Web Pay Tiers
by Carol~ Moderator / August 5, 2010 8:29 AM PDT
In reply to: NEWS - August 05, 2010
Google and Verizon, two leading players in Internet service and content, are nearing an agreement that could allow Verizon to speed some online content to Internet users more quickly if the content?s creators are willing to pay for the privilege.

The charges could be paid by companies, like YouTube, owned by Google, for example, to Verizon, one of the nation?s leading Internet service providers, to ensure that its content received priority as it made its way to consumers. The agreement could eventually lead to higher charges for Internet users.

Such an agreement could overthrow a once-sacred tenet of Internet policy known as net neutrality, in which no form of content is favored over another. In its place, consumers could soon see a new, tiered system, which, like cable television, imposes higher costs for premium levels of service.

Any agreement between Verizon and Google could also upend the efforts of the Federal Communications Commission to assert its authority over broadband service, which was severely restricted by a federal appeals court decision in April.

People close to the negotiations who were not authorized to speak publicly about them said an agreement could be reached as soon as next week. If completed, Google, whose Android operating system powers many Verizon wireless phones, would agree not to challenge Verizon?s ability to manage its broadband Internet network as it pleased.

Continued here: http://www.nytimes.com/2010/08/05/technology/05secret.html

Net neutrality deal may not see wider support
FCC abandons efforts at net neutrality compromise
Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?