NEWS - August 22, 2012

From the GFI Labs Blog:

Adobe marked August 15, 2012—exactly a week ago—as the last day when users could download and install Flash Player on their Android devices if they didn't have it yet. The company made this announcement so they can focus on Flash on the PC browser and mobile apps bundled with Adobe AIR. This change in focus also meant that Adobe will no longer develop and support Flash on mobile browsers.

Of course, it's possible that some Android users have missed that deadline, so they venture on to other parts of the Internet in search of alternative download sites.

It's no surprise to see that Russian scammers have, indeed, set up websites to lure users into downloading a fake Flash Player onto their Android devices. The Labs has been documenting such behavior from SMS scammers for quite some time now.

As of this writing, we've seen eight sites using Adobe's logos and icons—all are linking to the same variant of OpFake Trojan disguised as the legit Flash Player for Android. All the Russian sites used different file names for their .APK files but they're the same malicious variant. Below are just some of the file names that are used:

Continued : http://www.gfi.com/blog/fake-flash-player-app-is-an-sms-trojan-and-adware/

As suggested by some of its developers back in 2010, the Firefox browser will introduce enhanced separation between add-ons and the rest of the browser. With the change, which is planned to take effect with the release of Firefox 17, scripts on web pages will only be able to access the data belonging to add-ons if they are included in a whitelist.

The beta version of Firefox 15 already logs warning messages in the browser's Error Console when a page that is not on the whitelist tries to access data from add-ons. This behaviour has been included to make add-on developers aware of the new policy and to give them time to fix their add-on's behaviour before the release of Firefox 17.

In the current versions of Firefox, entire add-on objects can be shared by adding them to contentWindow.wrappedJSObject which allows scripts on web sites to access all data belonging to these objects through the window.sharedObject variable. With Firefox 17, add-on developers are required to explicitly mark attributes with the __exposedProps__ property which acts as a whitelist for objects that Firefox will share. Possible values for this property allow read-only access, write-only access and read and write access.

Continued : http://www.h-online.com/security/news/item/Firefox-17-to-make-add-ons-more-secure-1672626.html

The US Department of Justice (DoJ) has issued seizure orders against three websites selling pirated pirate Android apps.

It marks the first time such an order has been made against illicit app marketplaces and comes after an international investigation, which included cooperation with Dutch and French law enforcement officials.

The three domains, applanet.net, appbucket.net and snappzmarket.com, which were selling knock-off gear for the Google mobile OS, are now under the custody of the US federal government. Anyone who visits the sites will now be greeted by a notice from the FBI (as seen below).

[Screenshot: FBI Message]

Cops crash the party

"Software apps have become an increasingly essential part of our nation's economy and creative culture, and the criminal division is committed to working with our law enforcement partners to protect the creators of these apps and other forms of intellectual property from those who seek to steal it," said assistant attorney general Lanny Breuer of the Department of Justice's Criminal Division.

Continued : http://www.techweekeurope.co.uk/news/pirate-android-apps-us-fbi-90112

A coalition of nearly 20 children's advocacy, health and public interest groups plans to file complaints with the Federal Trade Commission on Wednesday, asserting that some online marketing to children by McDonald's and four other well-known companies violates a federal law protecting children's privacy.

The law, the Children's Online Privacy Protection Act, requires Web site operators to obtain verifiable consent from parents before collecting personal information about children under age 13. But, in complaints to the F.T.C., the coalition says six popular Web sites aimed at children have violated that law by encouraging children who play brand-related games or engage in other activities to provide friends' e-mail addresses — without seeking prior parental consent.

At least one company, however, said the accusation mischaracterized its practices, adding that the law allows an exception for one-time use of a friend's e-mail address. As of late Tuesday, the companies said they had not received copies of the complaints. Obtaining information about adults' social networks to e-mail marketing messages to their friends is a common industry practice called "tell a friend" or "refer a friend." But now an increasing number of children's sites are using the technique by inviting children to make customized videos promoting certain products, for example, and then sending them to friends.

Continued : http://www.nytimes.com/2012/08/22/business/media/web-sites-accused-of-collecting-data-on-children.html

By hunting through benign bits of code on your computer, the Frankenstein virus can turn itself into something rather nasty

MARY SHELLEY'S Victor Frankenstein stitched together the body parts of ordinary individuals and created a monster. Now computer scientists have done the same with software, demonstrating the potential for hard-to-detect viruses that are stitched together from benign code pilfered from ordinary programs.

The monstrous virus software, dubbed Frankenstein, was created by Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas. Having infected a computer, it searches the bits and bytes of common software such as Internet Explorer and Notepad for snippets of code called gadgets - short instructions that perform a particular kind of small task.

Previous research has shown that it is theoretically possible, given enough gadgets, to construct any computer program. Mohan and Hamlen set out to show that Frankenstein could build working malware code by having it create two simple algorithms purely from gadgets. "The two test algorithms we chose are simpler than full malware, but they are representative of the sort of core logic that real malware uses to unpack itself," says Hamlen. "We consider this a strong indication that this could be scaled up to full malware."

Continued : http://www.newscientist.com/article/mg21528785.600-frankenstein-virus-creates-malware-by-pilfering-code.html

As you may know, Philips recently suffered a data breach, when a hacking group exfiltrated a bunch of small databases and dumped them on a public drop site.

One of the databases included about 400 password hashes - a handily compact but real-world sample set for demonstrating some important points about password choice, use and storage.

To get a feel for the sort of passwords Philips customers had chosen, I decided to have a crack at them, using the popular open source software John the Ripper.

I wrote yesterday about some of the egregiously bad passwords I found, such as 123456, 12345678, 999999, and (several times) the rather obvious philips, but the actual passwords I recovered weren't as interesting as the rate at which I recovered them.

Let me show you what I mean, using one of the trendiest media instruments of 2012: an infographic! Or, in this case, an mini-infographic:

Continued : http://nakedsecurity.sophos.com/2012/08/22/cracking-passwords-from-the-philips-hack/

A 23-year-old German man was sentenced to seven years in prison for an online swindle with fake Web shops that caused €1.1 million (US$1.36 million) in damages, a spokeswoman of the lower regional court in Augsburg said on Tuesday.

Authorities believe that the man, who is from Essen, lead a gang swindlers who ran a network of 187 fraudulent online shops, said Matthias Nickolai, spokesperson for the public prosecution in Augsburg. "He himself of course denied that he was the leader," Nickolai added.

The shops sold goods like electronic equipment, home appliances and precious metals among other things, he said. Customers never received the items they ordered and during the time the shops operated they "sold" goods in 2,054 known cases, said Nickolai, citing the indictment. The gang operated between November 2008 and August 2011.

Besides selling nonexistent goods, the swindlers also stole customer bank account data, which they used to pilfer more than €200,000 in 117 individual transactions, he said. The gang used a phishing email to tell victims that a computer virus compromised their accounts. Those emails led victims to a fake website that appeared to be a legitimate bank site in order to obtain account and other personal information from victims, according to the German public prosecutor.

Continued : http://www.pcworld.com/businesscenter/article/261169/german_man_sentenced_to_seven_years_in_prison_for_online_swindling.html

The internet seems to have caught fire after celeb gossip website TMZ posted what appeared to be images of Prince Harry caught playing "strip billiards" with a bunch of party girls in a Las Vegas hotel suite.

There's no doubt that Prince Harry is popular with young women, and even if the third-in-line to the British throne isn't your cup of ginger-infused tea there are plenty of internet users who may feel tempted to see what all the fuss is about.

If you're one of those people, please be careful.

There has been a long history of cybercriminals taking advantage of breaking celebrity news stories - be it the death of Michael Jackson or Amy Winehouse, Rihanna sex videos or a purported video of the killing of Osama Bin Laden.

There are too many examples to count. And it wouldn't be a surprise at all if some similar scams popped up around Prince Harry's latest hijinx.

Continued : http://nakedsecurity.sophos.com/2012/08/22/naked-prince-harry-pics/

While researchers continue to dig into the Shamoon malware, looking for its origins and a complete understanding of its capabilities, a group calling itself the Cutting Sword of Justice is claiming responsibility for an attack on the massive Saudi oil company Aramco, which some experts believe employed Shamoon to destroy data on thousands of machines.

The attack on Aramco occurred on August 15, taking the main Web site of Saudi Aramco offline. Officials at the company said that the attack affected some of the company's workstations, but did not have any effect on oil production or on the main Aramco networks. The attackers claiming responsibility for the incident dispute that, saying that they deployed a destructive piece of malware that erased data on infected machines and then made them unusable.

"As previously said by hackers, about 30000 (30k) of clients and servers in the company were completely destroyed. Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job. Hackers published the range of internal clients IPs which were found in the internal network and became one of the phases of the attack target," the group said in a post on Pastebin shortly after the attack.

Continued : https://threatpost.com/en_us/blogs/some-signs-point-shamoon-malware-aramco-attack-082212

Related: World's largest oil company Saudi Aramco hit by malware