15 total posts
ESET reports trojan in Orbit Downloader
Researchers at security software company ESET have found a remotely-updating DDOS functionality built into a popular Windows download manager, Orbit Downloader.
The DDOS function appears to have been in the program for some time. When the orbitdm.exe program is run, it starts a series of communications with the servers at orbitdownloader.com, the end result of which is that the client system silently downloads via HTTP a Win32 PE DLL and a configuration file containing a list of URLs and a randomly-generated IP address for each.
This program and the list are used to conduct either a SYN flood attack or a wave of HTTP connection requests on port 80 (the HTTP port) and UDP datagrams on port 53 (DNS). The IP address that accompanied the URL in the config file is used as the source address for the attack.
Continued : http://www.zdnet.com/eset-reports-trojan-in-orbit-downloader-7000019760/
More information at PCWorld.com
Fake Malwarebytes Scammer Surveys Victims
From the "Malwarebytes Unpacked" Blog:
Scammers are at it again with their attempts to get users to download unnecessary software, visit pointless (and potentially dangerous) sites and filling out surveys for their own profit.
This time however, their tactic method hit a little close to home
Earlier this week, we got a tip off from one of our followers and friends on Twitter: @bartblaze about a twitter account pretending to be speaking for Malwarebytes.
The twitter account, @malwarebytesx, has posted heavily over the last couple days about Malwarebytes Anti-Malware being available (both legitimately and a cracked version) at a posted link. They even created a variation of our logo and got 51 people to follow them! [Screenshot]
The link leads to a blogspot page titled "Malwarebytes Anti-Malware 1.75 Full + Serial" that is covered in our signage and provides a link to download "Malwarebytes Anti-Malware" with text and graphics directly from our own website. [Screenshot]
After clicking on the "Download Now" button, you are presented with a download page requesting a small favor.
Continued : http://blog.malwarebytes.org/news/2013/08/fake-malwarebytes-scammer-surveys-victims/
How Not to DDoS Your Former Employer
Pro tip: If you're planning to launch a debilitating denial-of-service attack against your former employer, try not to "like" the Facebook page of the DDoS-for-hire Web service that you intend to use in the assault.
Tell that to Kevin Courtois, a 28-year-old from Three Rivers, Quebec who was arrested earlier this year for allegedly launching a volley of cyber attacks against his former company over a nine month period beginning in May 2012. Courtois did not respond to requests for comment.
Courtois's former employer — Concepta Inc., an information security firm based in his hometown — was not the only one suffering from attacks. The assaults — which ranged in size from a few gigabits per second to up to 10 gbps — grew so large that they began significantly affecting Concepta's Internet service provider - another Three Rivers company called Xittel. Eventually, the attacks shifted to targeting Xittel directly.
Xittel later hired Robert Masse, a security consultant from Montreal who spoke about the details of this case in a talk at the Black Hat security conference in Las Vegas last month. Xittel and Concepta compared notes and told Masse they'd settled on Cortois as the likely culprit. One potential clue: Cortois had left Concepta to start his own company that specialized in DDoS protection services.
Continued : http://krebsonsecurity.com/2013/08/how-not-to-ddos-your-former-employer/
5 tips to make your Facebook account safer
Help better safeguard your Facebook profile with these 5 quick tips.
1. Make sure only your friends can see your profile
You wouldn't just go up to a stranger in the street and start telling them about your life, so why would you want them to see your Facebook profile?
Click on the cog icon that you see in the top right hand corner of the screen. Then click Privacy Settings.
[Screenshot: Privacy Settings]
Click Privacy - the third option down in the left hand pane. [Screenshot: Facebook privacy ds]
You are now in the Privacy Settings and Tools area of Facebook. From here you can control 'Who can see my stuff?'
[Screenshot: Who can see my stuff]
By editing 'Who can see your future posts?' you will be able to choose exactly who gets to see your future updates.
[Screenshot: friends only]
• Public (which obviously means everyone)
• Only you
• Custom (which allows you to limit some of your friends from seeing your posts)
Continued : http://nakedsecurity.sophos.com/2013/08/22/5-tips-to-make-your-facebook-account-safer/
Windows 8 shouldn't be used on government computers, say ..
.. IT experts
Internal documents of the German Ministry of Economic Affairs perused by a reporter of news outlet Zeit Online show (via Google Translate) that IT professionals working for the government don't consider computers running Windows 8 secure enough for government and business use.
The problem lies in Trusted Computing - a technology used to make the computer's behavior consistent by loading the hardware with a unique encryption key inaccessible to the rest of the system, and to make the computer secure against third-party manipulation - both by attackers and users.
The latest version of the Trusted Platform Module (TPM) has, so far, found its way into smartphones, tablets and game consoles, and is now slowly but surely being included into desktops and laptops. It assures that Microsoft can choose which software can be installed on the device and which not.
Continued : http://www.net-security.org/secworld.php?id=15452
Is Windows 8 a Trojan horse for the NSA? The German Government thinks so
Germany warns: You just CAN'T TRUST some Windows 8 PCs
German agency warns Windows 8 PCs vulnerable to cyberthreats
Instascam: Instagram for PC Leads to Survey Scam
Symantec Security Response Blog:
Instagram, the popular photo and video sharing service acquired by Facebook, is often a target for spam and scams, some of which we have written about over the past year. This week, a friend shared an in-stream advertisement for a program called Instagram for PC on his Facebook timeline. This application claims to run Instagram in an emulator, so that PC users can access the service without a phone. [Screenshot: Instagram for PC website]
When trying to download a copy of Instagram for PC, we observed two separate downloads.
File #1: Missing Dynamic Link Library (.dll) File
The first download was a large RAR archive that bundled a series of dynamic link library (.dll) files along with the supposed application. When a user attempts to run the application, they will be greeted with what looks like a login screen for Instagram.
[Screenshot: Instagram PC login screen]
In reality, this login screen is a fake. If a user tries to login, they receive a phony "Fatal error 2.4.5" message, claiming there is a missing .dll file.
Continued : http://www.symantec.com/connect/blogs/instascam-instagram-pc-leads-survey-scam
Related: Instagram for PC? Don't be duped by survey scammers
Google, Mozilla Considering Limiting Certificate Validity
.. to 60 Months
In the wake of a parade of problems with certificate authorities and attackers using stolen digital certificates, both Google and Mozilla are poised to enforce new rules in their browsers for how long end-entity certificates should be trusted.
The changes will begin taking effect at the beginning of 2014, at least in Google Chrome, and will result in the browser no longer trusting any certificate that's more than 60 months old. Mozilla also is considering a similar move for its Firefox browser. The change is the result of the adoption of the CA/Browser Forum Baseline Requirements, a document that lays out a long list of requirements for the operation of a certificate authority and issuance of certificates. The requirements specify that CAs should not issue any certificates with a validity period longer than five years.
In a message Aug. 19 on the CA/B Forum mailing list, a Google employee said that the company is planning to comply with this rule in Chrome and Chrome OS beginning in 2014 with Developer and Beta channel builds, eventually moving to the Stable channel sometime during the first quarter.
Continued : http://threatpost.com/google-mozilla-considering-limiting-certificate-validity-to-60-months/102062
SoundCloud Users Targeted by Scammers with Spam and..
.. Dubious Software
Bitdefenders' "Hot for Security" Blog:
Users of the audio platform SoundCloud are targeted by scammers with spam and dubious software offers, according to ThreatTrack Security. Experts warn that over the last year cyber-criminals uploaded several files that misused brands of popular movies and TV shows to redirect users to spammy content.
The links embedded in the files lead to shady websites such as paid services, survey scams with fake prizes, and dubious software.
"It seems this technique has been around for at least 10 months (and possibly longer) on the SoundCloud service," Senior Threat Researcher Chris Boyd said.
"In all cases, the 'music file' appears to be webcam microphone feedback, or random snippets of conversation heard in the background. I'm not sure if the people talking are the ones uploading the content, but you'd think they'd show a little initiative and create a fun jingle to listen to or something."
Continued : http://www.hotforsecurity.com/blog/soundcloud-users-targeted-by-scammers-with-spam-and-dubious-software-6918.html
Related : Spammers Get Jamming on SoundCloud
Mozilla 'Plug-n-Hack' project aims for tighter security tool
Mozilla is developing a protocol that aims to let security tools and Web browsers work better together.
Configuring a web browser to work with a security tool involves writing platform and browser-specific extensions, a non-trivial process that discourages people with less experience, wrote Simon Bennetts, a security automation engineer with Mozilla, on Thursday.
The proposed standard, called "Plug-n-Hack," will define how security extensions can work with a browser in a more usable way, Bennetts wrote. PnH will allow the security tool to "declare the functionality that they support which is suitable for invoking directly from the browser."
Under the current arrangement, if a user wants to, for example, intercept HTTPS traffic, a user must configure proxy connections through the tool and browser correctly and import the tool's SSL (Secure Sockets Layer) certificate, Bennetts wrote.
Continued : http://news.techworld.com/security/3465373/mozilla-plug-n-hack-project-aims-for-tighter-security-tool-integration/
PayPal fixes critical account switcheroo bug after ..
.. researcher tipoff
PayPal has fixed a critical flaw that allowed an attacker to delete any account at will and replace it with one of their own.
In April, security researcher Ionut Cernica discovered that US PayPal account holders could add an email address to someone else's account by visiting a PayPal webpage. This then allowed the account to be deleted, he showed in a demonstration video (beware, old-school techno soundtrack):
"After you added an existing email to your account if you go to the account profile and you delete the unconfirmed email, the original account will be deleted too," Cernica's report reads.
"After you removed the account, you can make another one with same username with your desired password, but you will have no money and is not confirmed."
In order to achieve verified PayPal status, the attacker would simply need to assign a bank account or credit card to the replacement username and go through the standard accreditation procedure. If the scam wasn't spotted quickly, funds could then be siphoned off as soon as they came in.
Continued : http://www.theregister.co.uk/2013/08/23/paypal_fixes_critical_account_switcheroo_bug_after_researcher_tipoff/
Clever trick enhances secrecy of iPhone text messages
In surveillance era, clever trick enhances secrecy of iPhone text messages
""Perfect forward secrecy" comes to iOS and gets a boost on Android."
A security researcher has developed a technique that could significantly improve the secrecy of text messages sent in near real time on iPhones. The technique, which will debut in September in an iOS app called TextSecure, will also be folded into a currently available Android app by the same name.
The cryptographic property known as perfect forward secrecy has always been considered important by privacy advocates, but it has taken on new urgency following the recent revelations of widespread surveillance of Americans by the National Security Agency. Rather than use the same key to encrypt multiple messages—the way, say PGP- and S/MIME-protected e-mail programs do—applications that offer perfect forward secrecy generate ephemeral keys on the fly. In the case of some apps, including the OTR protocol for encrypting instant messages, each individual message within a session is encrypted with a different key.
The use of multiple keys makes eavesdropping much harder. Even if the snoop manages to collect years worth of someone's encrypted messages, he would have to crack hundreds or possibly hundreds of thousands of keys to transform the data into the "plaintext" that a human could make sense of. What's more, even if the attacker obtains or otherwise compromises the computer that his target used to send the encrypted messages, it won't be of much help if the target has deleted the messages. Since the keys used in perfect forward secrecy are ephemeral, they aren't stored on the device.
Continued : http://arstechnica.com/security/2013/08/in-surveillance-era-clever-trick-enhances-secrecy-of-iphone-text-messages/
VMware Patches Root Privilege-Escalation Flaw
VMware has fixed a privilege-escalation flaw in two of its major products that could allow a local attacker to gain root privileges on a vulnerable machine. The bug affects VMware Workstation and Player on certain Linux platforms.
The vulnerability, which VMware patched on Thursday, does not enable an attacker to jump from the host operating system to the guest OS or vice versa, which mitigates some of the seriousness of the bug. VMware said that the problem affects its products running on Debian-based systems.
"VMware Workstation and Player contain a vulnerability in the handling of the vmware-mount command. A local malicious user may exploit this vulnerability to escalate their privileges to root on the host OS. The issue is present when Workstation or Player are installed on a Debian-based version of Linux." the VMware advisory says.
"The vulnerability does not allow for privilege escalation from the Guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System."
Continued : http://threatpost.com/vmware-patches-root-privilege-escalation-flaw/102067
@ SANS ISC: PHP and VMWare Updates
See Vulnerabilities / Fixes: VMware Workstation / Player "vmware-mount" Privilege Escalation Vulnerability