16 total posts
Serious Crypto Bug Found in PHP 5.3.7
The maintainers of the PHP scripting language are warning users about a serious crypto problem in the latest release and advising them not to upgrade to PHP 5.3.7 until the bug is resolved.
PHP 5.3.7 was just released last week and that version contained fixes for a slew of security vulnerabilities. But now a serious flaw has been found in that new release that is related to the way that one of the cryptographic functions handles inputs. In some cases, when the crypt() function is called using MD5 salts, the function will return only the salt value instead of the salted hash value.
The problem does not occur when using Blowfish or DES, only with MD5. The initial bug report on the problem in the PHP system appeared Aug. 17, the day before the public stable release of PHP 5.3.7.
"If crypt() is executed with MD5 salts, the return value conists of the salt only. DES and BLOWFISH salts work as expected. I tested with php from openSUSE PHP5 repository," the report said. Several other users reproduce the problem on various other platforms.
Continued : http://threatpost.com/en_us/blogs/serious-crypto-bug-found-php-537-082211
Also: PHP users warned not to upgrade to 5.3.7
Google+ introduces verified accounts
Google is adding another feature that should guarantee that a Google+ profile corresponds with the actual real-life identity of a user.
"We're starting to roll out verification badges on profiles so you can be sure the person you're adding to a circle is who they claim to be," wrote Google official Wen-Ai Yu. "For now, we're focused on verifying public figures, celebrities, and people who have been added to a large number of Circles, but we're working on expanding this to more folks."
The verification badge will take the form of a grey checkmark positioned next to the profile name and rolling over it with the mouse will reveal the "verified name" status.
The advent of Google+ and of its "real name" requirement has been a matter of great debate on the Internet for a while now.
Google is understandably trying to replicate the model that made Facebook successful, but has been experiencing a lot of criticism from privacy advocates regarding its insistence on it and regarding the deletion on many accounts whose owners failed to provide their real name.
Continued : http://www.net-security.org/secworld.php?id=11489
Why you shouldn't trust Google+ Verified Accounts
Google+ account verification begins, may be required for all
Huge stash of leaks destroyed by former Wikileaks spokesman
Wikileaks has confirmed that thousands of leaked files have been destroyed by the group's former German spokesperson Daniel Domscheit-Berg.
This time last year, Wikileaks suspended Domscheit-Berg, and ever since has been trying to persuade him to return the material, which includes over 3,500 files.
These, says Wikileaks, include more than 60,000 emails from the NPD, US intercept arrangements for over a hundred internet companies, the internals of around 20 neo-Nazi organizations, 5GB of data from the Bank of America and the entire US no-fly list.
The material also includes internal Wikileaks communications which, says founder Julian Assange, Domscheit-Berg has been threatening to make public.
Assange says he's been pleading with Domscheit-Berg for the material's return, but has now had confirmation that it's been destroyed.
"The material is irreplaceable and includes substantial information on many issues of public importance, human rights abuses, mass telecommunications interception, banking and the planning of dozens of neo-Nazi groups," says Assange in a statement.
Continued : http://www.tgdaily.com/security-features/58012-huge-stash-of-leaks-destroyed-by-former-wikileaks-spokesman
Wikileaks spokesman deletes data
WikiLeaks admits insider deleted loads of its data
Epson Korea hack impacts 350,000 customers
Epson Korea has been hit by a massive data breach, involving the personal information of 350,000 registered customers.
Hackers broke into Epson Korea's computer systems, and stole information including passwords, phone numbers, names, and email addresses of customers who had registered with the company.
A warning message was posted to the Epson Korea website, and computer users who believe that may have been affected are advised to change their passwords as soon as possible. [Screenshot]
Although you may not care very much if someone can log into your account at Epson, you certainly will care if they can also use the same password to access your other online accounts. Once again, we find ourselves having to reminder users to get into the habit of using different passwords for different websites.
Continued : http://nakedsecurity.sophos.com/2011/08/22/epson-korea-hack-impacts-350000-customers/
News Feeds Abused by Spammers, Again!
Symantec Security Response Blog:
In the past few weeks, we have observed an old spam tactic re-emerging. Spammers are again using news feed to populate the subject header of spam messages. This technique has been used in the past in the form of directory harvesting attacks to gather valid email addresses. However, these attacks usually lasted for only one or two weeks, perhaps because their goal of collecting email addresses had served its purpose. This time not only the duration longer, but they have been selective in their news agency - it is only "BBC News" at this time.
Pharmacy-related spam is employing this technique, obviously attempting to get curious readers to open up these emails. Using different techniques, like interesting news topics in a subject line, may compel users to open a spam email. This indirectly gives spammers a chance to advertise their products and possibly sell them too. In the case of malicious attacks, it is clicking viral links or attachments to compromise and later control the user's computer.
In this particular trend, It looks like the spammers collect a whole bunch of news items from a specific day of a week (recent attacks suggest Thursdays or Fridays) and rotate these news headlines in the subject headers of the spam emails throughout the rest of the week. Spammers are known for being unpredictable, so it won't be surprising if they change their ways in this spam campaign as well. For example, sometimes we found them sending updated news as well. Russian domains (.ru top-level domains) and a domain name with "pills" have also been a common feature for this attack.
Here are some sample images of spam messages:
Continued : http://www.symantec.com/connect/blogs/news-feeds-abused-spammers-again
Flashy Cars Got Spam Kingpin Mugged
A Russian spammer suspected of maintaining the infamous Rustock spam botnet earned millions of dollars blasting junk email for counterfeit Internet pharmacies. Those ill-gotten riches let him buy flashy sports cars, but new information suggests that this attracted the attention of common street thugs who targeted and ultimately mugged the spammer, stealing two of his prized rides
In March, I published a story linking the Rustock botnet to a spammer who used the nickname Cosma2k. This individual was consistently one of the top five moneymakers for SpamIt, which, until its closure last fall, paid spammers millions of dollars a year and was the world's largest distributor of junk mail.
Earlier this month, someone leaked thousands of online chat logs taken from Dmitry "SaintD" Stupin, a Russian who allegedly ran the day-to-day operations of SpamIt. Those records include numerous chat conversations allegedly between Stupin and a SpamIt affiliate named Cosma.
In several chats, Cosma muses on what he should do with tens of thousands of compromised but otherwise idle PCs under his control. Throughout the discussions between Stupin and Cosma, it is clear Cosma had access to internal SpamIt resources that other spammers did not, and that he had at least some say in the direction of the business.
Continued : http://krebsonsecurity.com/2011/08/flashy-cars-got-spam-kingpin-mugged/#more-11222
Ukraine police swoop on fake credit card gang
"Criminals accused of causing £12 million in fraud damages"
Ukraine's security service SBU said Monday it had arrested four people for allegedly creating fake payment cards with stolen information in an operation estimated to have caused $20 million (£12 million) in damages.
The SBU said raids conducted earlier this month yielded 1,000 plastic cards and more than 100,000 financial records used to make the cards, according to a translation of a news release.
An official contacted at the SBU was unable to immediately give further information. The SBU said it worked with US law enforcement on the operation. A Federal Bureau of Investigation spokeswoman said on Monday that the bureau did not have information on the arrests.
The FBI has stationed a supervisory special agent at the Embassy in Kiev since October 2009 with the Office of the Legal Attache. According to the US Embassy in the Ukraine, "cybercrimes originating from Ukraine and targeting US companies and individuals represent a significant criminal threat and financial loss."
Continued : http://news.techworld.com/security/3298427/ukraine-police-swoop-on-fake-credit-card-gang/
Hackers Use Social Tricks To Get Bank Passwords
Auditors at Trace Security used social engineering tactics to obtain sensitive information and infect systems
While cyber-attackers can probe websites to find application flaws and network holes, employees at many financial institutions are just as vulnerable to social engineering tricks.
Why hack a website when all it takes is a phone call to get into a customer bank account? That is the question Jim Stickey, CTO of TraceSecurity asks when auditing the security measures in place at banks and credit unions around the country. The audits focus on both physical thefts as well as what Stickey called "virtual thefts", where thieves use emails and phone calls to get the passwords they need to remotely penetrate sensitive systems.
LinkedIn used to choose targets
TraceSecurity's auditors employ the mindset of a cyber-criminal to determine what would be targeted, and what techniques would be used, Stickey told eWEEK.
Continued : http://www.eweekeurope.co.uk/news/study-hackers-use-social-tricks-to-get-bank-passwords-37486
European security agency issues HTML5 warning
The European Union's computer security agency warned that the draft HTML5 standard may neglect important security issues.
The European Network and Information Security Agency (ENISA) on Aug. 1 released a 61-page document that cited 51 security problems in the draft HTML5 specifications.
"It's the first time anyone has looked at those specifications from a security point of view," said Giles Hogben, program manager for secure services at ENISA.
Some of the security issues can be fixed by tweaking the specifications, while others are risks that browser users should be warned about, Hogben said.
ENISA also recommended "sandboxed," or isolated, browser sessions to protect online financial transactions in one browser window from being hijacked by malware in another open browser window.
HTML5 is curated by the World Wide Web Consortium, which will consider the suggestions and revise the specifications by January.
Continued : http://www.computerworld.com/s/article/358181/European_Group_Finds_HTML5_Security_Gaps
Traffic Ticket ... or Malicious Attachment?
Symantec Security Response Blog:
In the past we have seen malicious attacks pretending to be shipment notifications from various parcel delivery services. Now the New York State DMV has become the latest "brandjacking" victim for a series of malware attacks.
Here is what the fake message looks like: [Screenshot]
Ticket-064-211.zip is the name of the malicious attachment, and it is being identified as a variant of Trojan.FakeAV - one of the most prolific risks seen on the Internet today. Every day, bogus antivirus and security applications are released and pushed to unsuspecting users through a variety of delivery channels. Many of these programs turn out to be clones of each other. They are often created from the same code base, but presented with a different name and look, which is achieved through the use of a "skin".
Here are some of the best practices to protect yourself from malicious email attacks:
Continued : http://www.symantec.com/connect/blogs/traffic-ticketor-malicious-attachment
German authorities park tanks on Facebook's lawn
Facebook has once again been criticised by a data protection authority in Germany for siphoning off information about the country's citizens to servers based in the US.
This time the company's "like" button and "pages" feature have been attacked by DPA officers in the Northern German federal state of Schleswig-Holstein.
On Friday, Germany's Independent Centre for Privacy Protection (ULD) called on website operators based in that region to "shut down their fan pages on Facebook and remove social plug-ins such as the 'like'-button from their websites," according to a statement on the DPA's website.
It said it had concluded that those features violated the German Telemedia Act as well as the Federal Data Protection Act.
The Schleswig-Holstein DPA noted that anyone using the functions within the dominant social network would have their "service traffic and content data" transferred to servers located in the US.
Continued : http://www.theregister.co.uk/2011/08/22/schleswig_holstein_facebook_dislikes_like_and_pages/
A Snapshot of Android Threats [INFOGRAPHIC]
TrendLabs Malware Blog:
January this year, Trend Micro Chairman and co-founder Steve Chang was quoted as saying that Android devices are less secure than those running on iOS. While his comment caused quite a stir back then, today's threat landscape seems to agree: since Steve's statement, our researchers saw a whopping 1410% increase in the number of Trojanized Android apps and actual malware targeting fans of the little green robot.
Our researchers opine that we have yet to reach a tipping point where malware becomes the biggest security issue for Android users. However, that these malicious apps are out there to invade one's privacy, take control of a device, and cost users money because of unnecessary billing charges is something that should be taken seriously. Add the fact that these threats rely heavily on user interaction to initiate, like most information security threats, awareness is the first step towards prevention.
So in-for lack of a better term-"commemoration" of the discovery of first Android Trojan, below is an infographic that gives users a snapshot of Android threats: how it grew, how they work, and how users can protect themselves.
Click here to view the bigger version of the infographic below.
Red Arrow crashes during air show - a cold-hearted Facebook
.. clickjacking scam
Scammers on Facebook have once again proven themselves to be cold-hearted opportunists, unafraid to take advantage of personal tragedies for their own financial ends.
In the latest scam seen surfacing on the social network, innocent users are being tricked into believing that they will see a video of a crash at an air show which resulted in the death of a British pilot.
Flt Lt Jon Egging was killed during an RAF Red Arrows display at the Bournemouth Air Festival this weekend.
The news of the death touched many people who are fans of the world famous Red Arrows, and over 170,000 people have joined a Facebook group in Jon Egging's memory.
Although the public's generosity and compassion must be a comfort to Flight Lt Egging's widow, it's unlikely that she would find much solace in the scams which are taking advantage of her husband's death.
For instance, this page on Facebook:
Continued : http://nakedsecurity.sophos.com/2011/08/22/red-arrow-crashes-during-air-show-video-faceboo/
Baking Security Into Open WiFi Networks
What if you could make the coffee shop wireless LAN both open and secure? That's just what a group of researchers hopes to do with their new open-source code available to organizations or establishments hosting their own WiFi networks.
The newly released Secure Open Wireless Access (SOWA) proof-of-concept implementation is aimed at making openly available WiFi networks safer by giving users encrypted connections to wireless networks without their risking connecting to a rogue wireless access point or their traffic getting sniffed or hijacked. Researchers from IBM's X-Force research team, as well as an independent researcher, recently joined forces to push the technology, which they first demonstrated it earlier this month at Black Hat USA in Las Vegas.
At the heart of SOWA are digital certificates associated with the WLAN's SSID, which ensure that the user is actually connecting to say, Panera Bread or Starbucks' trusted WiFi network, for example. This would shield users from sidejacking or other attacks that hijack their HTML session cookies or sniff their traffic. That threat of malicious WiFi activity was intensified last fall with the release of the notorious Firefox extension called Firesheep, which made sidejacking merely a matter of point-and-click and easy enough for an everyday user and not just a hacker.
Continued : http://www.darkreading.com/authentication/167901072/security/news/231500516/baking-security-into-open-wifi-networks.html
Yale warns 43,000 about 10-month-long data breach
"FTP server on which data was stored became searchable by Google in September"
Yale University has notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months.
All of the victims were affiliated with Yale in 1999, and are being offered identity theft insurance and free credit monitoring services for two years, the university said in a statement last week.
The breach resulted when a File Transfer Protocol (FTP) server on which the data was stored became searchable via Google as the result of a change the search engine giant made last September, the Yale Daily News reported
The online publication reported that Yale IT Services Director Len Peters said the FTP server holding the compromised information was used mainly for open-source materials.
In September 2010, Google made a change that allowed its search engine to index and find FTP servers. But university IT officials were unaware of the change, Peters told the Daily News.
Continued : http://www.networkworld.com/news/2011/082211-yale-warns-43000-about-10-month-long-249979.html