12 total posts
Google closes critical vulnerabilities in Chrome 5
Google has released version 5.0.375.127 of Chrome, a security update that addresses two "critical" and six "high" risk vulnerabilities in its WebKit-based browser. According to the developers, one of the critical issues related to the file dialogue could lead to memory corruption, while the second could cause a crash on shut down due to a notifications bug.
Additionally, the stable channel update addresses a number of high risk bugs that may, for example, lead to memory corruption while SVG handling, in MIME type handling (2x) and with Ruby and Geolocation support. Two other vulnerabilities related to text editing and a possible address bar spoofing bug, both rated as high, have been closed.
A medium risk problem has also been fixed that caused the address bar that sits at the top of the browser window (also known as the Omnibox), which doubles as a search box, to auto-suggest if the user may be about to type in a password. Further details of the vulnerabilities are being withheld until "a majority of users are up-to-date with the fix". All users are encouraged to update to the latest release as soon as possible.
As part of its Chromium Security Reward programme, launched earlier this year, Google has been rewarding those reporting security vulnerabilities. In total, Google has awarded more than $10,000 to those who discovered the above exploits in its browser, including Sergey Glazunov, Mike Taylor, kuzzcc and Team509's Wushi. Google Chrome developer Jason Kersey notes that Marc Schoenefeld was awarded with $1,337 for his help in closing a critical vulnerability in an external component, a Windows kernel bug.
Continued here: http://www.h-online.com/security/news/item/Google-closes-critical-vulnerabilities-in-Chrome-5-1062480.html
See Vulnerabilities & Fixes : Google Chrome Multiple Vulnerabilities
Facebook raises privacy concerns with Places
Facebook is taking a page from Foursquare's book by letting users "check in" to locations.
The new "Places" feature lets users share where they are, figure out who is in the vicinity, and check out happenings and services within the same locale.
Users can "check in" from their smartphones, broadcasting their location - anywhere from a restaurant to a park - to their own Facebook friends. Their whereabouts are then flashed through the network's status updates.
Users can look up the locations of friends who are similarly "checked in" - either via updates or on a separate web page - or tag friends who happen to physically be with them, thus declaring where they are.
Places also features a "People Here Now" section, which will alert Facebook users to others at the same location. "This section is visible for a limited amount of time and only to people who are checked in there," Facebook said in a blog post. "That way you can meet other people who might share your interests." Users must opt out of that feature if they don't wish to use it.
For some, the system will raise privacy concerns. "They want to make sure they've done their homework, because privacy does become a concern right out of the gate," said Michael Gartenberg, a partner at consulting and analyst firm Altimeter Group. "They don't want to introduce this and then have to come back and fix it."
Continued here: http://www.pcpro.co.uk/news/360436/facebook-raises-privacy-concerns-with-places
Facebook Places: The Cat-and-Mouse Game Continues
Facebook Places could spark new privacy fire
Pentagon takes aim at China cyber threat
The U.S. for the first time is publicly warning about the Chinese military's use of civilian computer experts in clandestine cyber attacks aimed at American companies and government agencies.
In a move that is being seen as a pointed signal to Beijing, the Pentagon laid out its concerns this week in a carefully worded report.
The People's Liberation Army, the Pentagon said, is using "information warfare units" to develop viruses to attack enemy computer systems and networks, and those units include civilian computer professionals.
The assertion shines a light on a quandary that has troubled American authorities for some time: How does the U.S. deal with cyber espionage emanating from China and almost certainly directed by the government ? despite the fact that U.S. officials don't have or can't show proof of those ties?
Asked about the civilian hackers, a Defense Department spokesman said the Pentagon is concerned about any potential threat to its computer networks. The Pentagon, said Cmdr. Bob Mehal, will monitor the PLA's buildup of its cyberwarfare capabilities, and "will continue to develop capabilities to counter any potential threat."
The new warning also comes as U.S. and other international leaders are struggling to improve cooperation on global cybercrime and set guidelines for Internet oversight.
Continued : http://news.yahoo.com/s/ap/20100819/ap_on_go_ca_st_pe/us_us_china_cyber_threats
DDoS extortion-themed scam circulating
Symantec has intercepted a scam attempt, relying on scare tactics in order to trick domain owners into transferring virtual money, or face a distributed denial of service attack against their web site.
?You are welcomed with a command of hackers ZeleniyHach. We hold a huge network of Distributed Denial Of Service Attack, allowing to suspend any web site. We have been watching (domainname.com) and were able to find out that you have spent pretty money much for its advancement and want to to offer you to spend a little more yet. Just as little as 200 bucks as a voluntary donation to our fund will keep your web site away from DDOS attack. 200 bucks is not so much also will help you to avoid greater problems in the future.FOR DULLS..!!! IF YOU DO NOT OFFER TO US 200 bucks WE WILL KILL YOUR WEB SITE! Unfortunately, we accept only Webmoney Paymer Cheks, so make sure to get your fat asses out and without assistance find out how to transfer money into it. We give you 48 hours. If after 48 hours we will not get 200 dollars, there is one more 0 will be added to 200 bucks, i.e. 2000 bucks and so on until you come to reason. When you are ready, just send the check as your response to this message. In subject matter of the letter specify the domain with greater letters, it is a lot of you We are the one, respect our work.?
Despite the presence of ?financial penalties?, which is a popular tactic used in professional DDoS extortion letters, this spamvertised campaign is a clear attempt to scam the user, meaning there?s a low probability that the scammers have the DDoS capabilities they?re referring to.
Continued : http://www.zdnet.com/blog/security/ddos-extortion-themed-scam-circulating/7180
Three sentenced on charges of scamming IT vendors
Three people were sentenced to prison terms Thursday for their roles in a multimillion-dollar scheme targeting payments to IT and consulting services vendors from four state governments, the U.S. Department of Justice said.
Among the companies targeted in the scam were Deloitte Consulting, Unisys, Accenture and EDS, now a part of Hewlett-Packard. The defendants were able to divert state payments totaling $3.4 million from West Virginia, Kansas, Ohio and Massachusetts to bank accounts controlled by the co-conspirators, the DOJ said in a press release.
The scheme, which began in late 2008, targeted vendors that received large payments from states on a regular basis, the DOJ said. Co-conspirators located in the U.S. filed documents to create dummy entities with names similar to legitimate vendors, as well as fraudulent bank accounts in the names of the targeted vendors. With information acquired from the Internet and other sources, the co-conspirators completed direct deposit authorization forums for the targeted vendors.
The group then mailed electronic payment authorization forums to the states, allowing the defendants to hijack legitimate vendor payments, the DOJ said. The group wired more than $770,000 to bank accounts in Kenya.
Continued : http://www.computerworld.com/s/article/9181098/Three_sentenced_on_charges_of_scamming_IT_vendors
Trojan suspected of contributing to 2008 Madrid aircrash
Authorities investigating the 2008 Madrid air crash, which resulted in the deaths of 154 people, have discovered that a central computer system used to monitor technical problems in aircraft was infected with Trojan horses.
The tragic crash, which occurred two years ago today, saw Spanair flight 5022 crash just after take off from Madrid-Barajas international airport, on what should have been a routine trip to Gran Canaria. Only 18 people survived the explosion, Spain's worst air disaster in 25 years.
According to El Pais, an internal report by the airline has revealed that a computer located at the airline's headquarters in Palma, Mallorca, should have identified three similar technical problems with the airplane, but was suffering from a malware infection.
According to the newspaper, the plane should not have been allowed to take-off if the technical problems had been identified.
It's important to note - malware didn't cause the plane to crash. It may, however, have affected computer systems that (if they had been working properly without interference) may have meant that the flight would never have taken off. Unfortunately we don't know the name of the malware that is under suspicion in this case, so it's tricky to comment further.
Continued : http://www.sophos.com/blogs/gc/g/2010/08/20/trojan-horse-suspected-contributing-2008-madrid-aircrash/
PS3 Jailbreak Trojan
From the F-Secure Weblog:
For those of our readers who follow PlayStation 3 discussions, it would have been hard to miss the discussion about a new "jailbreak" for PS3. News of a USB dongle that breaks the security model of the game console to enable execution of third party software (as well as pirated games) have been going around like wildfire. [...]
Not surprisingly, online miscreants are trying to exploit the excitement. The real USB jailbreak gadget is not a USB drive. But it looks like one. So now some clown is distributing a Windows program that claims to creates a jailbreak USB device out of a normal thumb drive. All you need to do is to download and run the program. [...]
Continued : http://www.f-secure.com/weblog/archives/00002014.html
Spamhaus Blocks Gmail? Report Was Not True.
"Spamhaus Blocks Gmail" - A catchy headline which certainly got the twitterati going. However, it wasn't true.
Recently some IT websites, including Softpedia and Sucuri, erroneously issued reports of Spamhaus' SBL blocking Gmail. These reports are not true. Google's Gmail service has never been listed in, or affected by, any Spamhaus DNSBL, nor ever would be. Spamhaus quite simply will not list outbound mail servers of Google/Gmail or any giant freemail provider.
Some Google-owned server IPs hosting severe malicious spam problems - specifically Google's "Google Docs" service - do get rightly listed in the Spamhaus SBL when Google does not take action fast enough to stop the serving of malicious sites via Google Docs. Such listings act as pointers to the abused resource but do not in any way affect Google's Gmail service or any Google outbound mail service.
The problem the "Google Docs" service suffers from requires taking a step back to see one of the core issues of modern day internet abuse....
As more and more services move 'to the cloud' some companies have built enormous infrastructures to provide basic computer services anytime and anywhere, often for free. Free webmail powered email addresses were the start many years ago, long before the concept of the cloud was invented. As time moved on more and more of these hosted services became available: document storage, blogs, image hosting, collaboration services and so on.
Continued here: http://www.spamhaus.org/news.lasso?article=660
As Posted (by "yours truly" ) Previously: Spamhaus Adds Gmail to Block List
Google Wi-Fi Spy Lawsuits Head to Silicon Valley
Whether Google is liable for damages for secretly intercepting data on open Wi-Fi routers across the United States is to be aired out in a Silicon Valley federal court.
Eight proposed class actions from across the country that seek unspecified monetary damages from Google were consolidated this week and transferred to U.S. District Judge James Ware in San Jose, California. Another five cases are likely to join.
The lawsuits allege that Google violated federal and state privacy laws in collecting fragments of data from unencrypted wireless networks as its fleet of camera-equipped cars moseyed through neighborhoods snapping pictures for its Street View program.
The consolidation decision (.pdf) by the U.S. Judicial Panel on Multidistrict Litigation is likely to spark a legal frenzy by attorneys involved in the cases, as they jockey to win over Judge Ware and garner lead counsel status. That would give those lawyers intense media attention, as well as the biggest share in legal fees from a verdict or settlement.
Still, acquiring lead counsel status, a title given to lawyers whom the judge believes can best represent the interests of class members, comes with a huge risk as well.
The deep-pocketed Google [urlhttp://www.wired.com/threatlevel/2010/06/packet-sniffing-laws-murky/]maintains that it did nothing wrong, and is likely to put up a fierce and costly defense. Google, in response to government inquiries and lawsuits, claims it is lawful to use packet-sniffing tools readily available on the internet to spy on and download payload data from others using the same open Wi-Fi access point.
Continued here: http://www.wired.com/threatlevel/2010/08/google-spy-lawsuits/
Protect Your Network from Facebook Malware
"AppRiver reports another malware campaign exploiting the trust users place in Facebook and the smartphone apps that access it"
Reports are circulating of yet another malware scam targeting Facebook users. The sheer size of the social network, combined with the inherent trust users place in messages from friends and family through Facebook make it a prime target for malware attacks to exploit.
The security analysts at AppRiver report that they are detecting a new malware campaign targeting Facebook. The campaign tricks unsuspecting users into thinking the message is coming from Facebook. The e-mail appears to be an official Facebook notification indicating the reader can reconnect with friends, but the message is full of malicious links. Clicking on one of the malicious links will then redirect them through several different Web sites and load malware onto their computer through a hidden iframe exploit.
So, what's the big deal? Is this Facebook malware attack any different than every other malicious attempt to exploit social networks? An AppRiver spokesperson explains "What's unique here is that this virus campaign is also hitting smartphone devices (specifically BlackBerrys at this time) that have the Facebook application/icon installed. In other words, it's not just utilizing email, but also triggering the application itself to make the campaign more believable."
The AppRiver spokesperson added "Since the actual payload is not pushed down until after the infection occurs, this is a great opportunity for scammers to test the lengths of their campaign. For instance, if scammers can hook applications in this fashion, it may be an indicator of what's to come in the future: an easier remote mobile device security breach. If successful, scammers may one day be able to send payloads to attack the mobile device causing a potentially severe data breach."
Continued here: http://www.networkworld.com/news/2010/082010-protect-your-network-from-facebook.html