NEWS - August 27, 2012

Online file-backup and storage service Dropbox has begun offering a two-step authentication feature to help users beef up the security of their accounts. The promised change comes less than a month after the compromise of a Dropbox employee's account exposed many Dropbox user email addresses.

Dropbox users can take advantage of the new security measure by logging in at this link, and then clicking the "Security" tab. Under account sign in, click the link next to "Two-step verification." You'll have the option of getting security code sent to your mobile device, or using one of several mobile apps that leverage the Time-based One-Time Password algorithm. [Screenshot]

If you're already familiar with the Google Authenticator app for Gmail's two-step verification process (available for Android/iPhone/BlackBerry) this is a no-brainer: When prompted, open the app and create a new token, then use the app to scan the bar code on your computer screen. Enter the key generated by the app into your account settings on the site, and you're done. Other supported apps include Amazon AWS MFA (Android) and Authenticator (Windows Phone 7).

Continued : https://krebsonsecurity.com/2012/08/dropbox-now-offers-two-step-authentication/

Related:
Dropbox two-factor authentication available to early adopters
Dropbox Upgrades Security With Two-factor Authentication

From the FireEye Malware Intelligence Lab Blog:

New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed. [Screenshot: Exploit]

Initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China. Attacker web site is fully functional at the time of writing this article i.e., on August 26, 2012. [Screenshot]

A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.

http: //ok.XXX4.net/meeting/hi.exe

Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.

Continued : http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

Related:
New Java Zero Day Being Used in Targeted Attacks
New Java Exploit Spotted in the Wild

On Thursday, law enforcement officials with the Criminal Investigation and Detection Group (CIDG) and the Presidential Anti-Organized Crime Commission (PAOCC) in the Philippines arrested more than 300 in a cybercrime sweep. The arrests took place in several subdivisions, and the operation is being hailed as the biggest cybercrime operation in the nation's history.

According to a press release from the CIDG, working alongside elements from the PAOCC, the two agencies arrested 357 nationals, mostly Taiwanese and Mainland Chinese, when they raided 20 residential units in several subdivisions located in Quezon City, Manila, Marikina, Cainta, and Antipolo Cities where the foreigners were rounded up.

The sweep was aimed at stopping a scam that initiated in China, where the group would call unsuspecting victims in China and introduce themselves as members of Chinese police. From there the victim would be told that their bank accounts were being used to launder money, or other terrorist funding, and be advised to move their funds to a safe account that the police provided.

Continued : http://www.securityweek.com/cybercrime-crackdown-yields-357-arrests-philippines

Also:
357 arrested in massive cybercrime sting in Philippines
Cyber Crime Sting Sees 357 Arrested In Philippines

Saudi Arabia-based Aramco was attacked earlier this month by malware that targeted some 30,000 workstations. According to the state-owned group which controls all of Saudi Arabia's oil production, things have been cleaned up in short time, and oil production itself was not impacted.

The early August attack gained traction because the malware itself appeared to be created solely for this campaign. It has a Hollywood quality as well, given that 30,000 systems at the world's largest oil production company were hit in a single sweep. Adding to that were the threats made by a group calling themselves the Cutting Sword of Justice warned that they would attack again on Saturday.

If they did launch a second attack, it failed. Most security pundits however are leaning towards the fact that the warning was an empty threat, and subsequent messages (each one unsigned) discussing the attack were simply glory hounds seeking their time in the spotlight. Despite the FUD associated with the story however, Aramco was attacked, and it took them two weeks to clean their network. The initial message on their Web site remains, despite a statement given to the media over the weekend.

Continued : http://www.securityweek.com/saudi-oil-giant-aramco-says-things-are-fine-after-cyber-attack

Related:
World's largest oil producer falls victim to 30K workstation attack
Saudi Aramco Restores Internal Network After Malware Attack

From SANS ISC:

Published: 2012-08-27,
Last Updated: 2012-08-27 13:40:02 UTC
by Johannes Ullrich

A couple years back at our annual RSA "top threat" panels, one of the possible exploits I suggested was the use of social network information for more automated targeted e-mail. At that time, most "spear phishing" was done by first manually collecting information about the victim, then creating an e-mail based on that information. In short: The exploit didn't scale and was expensive. Most of what a half way skilled attacker can do can be done cheaper and faster by a decent python/perl script.

Since then, we have seen a number of mass mail campaigns using automated harvesting of social network information. For example, some of the early campaigns searched Linked-In for specific job titles.

This latest one abuses information published on Facebook. The spam appears to come from a "Facebook Friend" of yours. As a sample:

From: Some Friend <randomname@yahoo.co.id> Subject: FOR FIRSTNAME To: your@emailaddress

The e-mails contain what appears to be valid Yahoo DKIM signatures, so they are likely sent from compromised or throw away Yahoo accounts. "FIRSTNAME" would be the recipients first name, and "Some Friend" would be the friends name. Depending on your e-mail client, you may not see the email address used in the "From" header.

Continued : https://isc.sans.edu/diary.html?storyid=13981

These days, every user is mobile. Laptops, smartphones, tablets, and constant connectivity have unshackled all of us from our desks. And thanks to the ready availability of apps and cloud services that blur the line between consumer and business tools, we're also unshackled from controls over company data. Many IT departments are having a hard time keeping up--mainly because they've failed to adapt as quickly as their users to the new reality.

Most companies have some form of mobile security policy in place. Sixty-two percent of respondents to InformationWeek's 2012 Mobile Security Survey have policies that lets employees use personal mobile devices for work. However, many of these policies are far from fully fleshed out. And often businesses lack the means to monitor mobile use of data across all devices and applications, which limits IT's ability to enforce those policies.

To enable users to get the most out of their mobile technology and protect them in the process, companies must consider several factors, including device selection, data security, device management, net- work security support for mobile devices, and application controls. We spoke with a number of experts on these matters concerning the challenges involved and to get tips on how to develop a solid mobile security program.

Continued : http://www.darkreading.com/security/perimeter-security/240006133/10-tips-for-protecting-mobile-users.html

Bogus emails supposedly coming from the US Internal Revenue Service (IRS), informing users that their "tax transaction" has been cancelled and trying to get them to follow a malicious link, have been spotted hitting inboxes around the world.

While individuals not living in the US are unlikely to fall for the scam for obvious reasons, some US citizens might be alarmed by the message and follow the link, which will take them to a bogus "Page loading..." page, hosted on a variety of compromised hosts: [Screenshot]

The bad news is that the java script that redirects the victims to one of the pages serving the Blackhole exploit kit is currently detected by only 8 of the 41 AV solutions used by VirusTotal.

The good news is that once the kit exploits one of the two software flaws it is designed to, the assortment of malware dropped on the system - the Cridex Trojan among them - is detected by at least half of those solutions.

Unfortunately, those users who don't use an AV solution - or the right one - are still heavily at risk.

Continued : http://www.net-security.org/malware_news.php?id=2242

In compliance with its policies, the Zero Day Initiative (ZDI) has now released five security holes that HP has had more than six months to fix. All of the zero-day holes affect products in HP's enterprise and networking divisions:

• HP LeftHand Virtual SAN
• HP Operations Agent for NonStop
• HP Intelligent Management Center
• HP iNode Management Center
• HP Diagnostics Server

In all five products, remote attackers can exploit programming flaws to inject and execute arbitrary code via specially crafted requests - sometimes even at SYSTEM user level. This is considered the highest threat level. In all five cases, the ZDI informed the company of the problems at the end of 2011. Yet HP failed to release patches for any of these critical security holes - hence the name zero-day, or 0day: customers have no advance notice to prepare for potential attacks that exploit these holes. Also, HP has not yet responded to requests for comment from heise Security, The H's associates in Germany.

Continued : http://www.h-online.com/security/news/item/Five-0days-HP-in-the-security-dock-1676337.html

GFI Labs Blog:

In 2011, we have seen that rogue AVs—programs posing as legitimate antivirus software that dupe users into downloading and installing them onto systems with the lure of supposed system infections—remain a threat that continue to persist. We've seen these programs evolve from showing bogus system detections to having other kind of malware bundled with them. And we can expect more changes to happen in rogues for the coming years, unfortunately, due to the online criminals' efforts of making them as stealthy, persuasive, and effective as possible.

GFI Labs has curated the top 5 rogue AV families based on available data we have on fake AVs from January to December of 2011. The pie chart below is a representation of these families, which includes their names and number of samples received within 12 months (expressed in percent): [Screenshot]

1. Privacy Center (MSE). This variant of the Privacy Center family leverage on Microsoft Security Essentials (MSE), Microsoft's antivirus product.

2. FakeRean (Chameleon). This particular type of FakeRean rogue malware detects specific Windows version of systems it's installed on, and displays an appropriate GUI to users in order to make the supposed detections more believable. As such, a single variant of this rogue can use any number of names to its advantage. It is also found that notorious families of worms (e.g. Bredolab) have been known to drop this rogue to further infect the system.

Continued : http://www.gfi.com/blog/the-top-five-rogue-av-families-of-2011/

Federal Courts Order Seizure of Three Website Domains Involved in Distributing Pirated Android Cell Phone Apps

Seizure orders have been executed against three website domain names engaged in the illegal distribution of copies of copyrighted Android cell phone apps, Assistant Attorney General Lanny A. Breuer of the Department of Justice's Criminal Division, U.S. Attorney Sally Quillian Yates of the Northern District of Georgia, and Special Agent in Charge Brian D. Lamkin of the FBI's Atlanta Field Office announced today.

The department said that this is the first time website domains involving cell phone app marketplaces have been seized.

The seizures are the result of a comprehensive enforcement action taken to prevent the infringement of copyrighted mobile device apps. The operation was coordinated with international law enforcement, including Dutch and French law enforcement officials.

The three seized domain names—applanet.net, appbucket.net, and snappzmarket.com—are in the custody of the federal government. Visitors to the sites will now find a seizure banner that notifies them that the domain name has been seized by federal authorities and educates them that willful copyright infringement is a federal crime.

"Cracking down on piracy of copyrighted works—including popular apps—is a top priority of the Criminal Division," said Assistant Attorney General Breuer.

Continued : http://www.infosecisland.com/blogview/22283-Three-Domains-Seized-for-Distributing-Pirated-Android-Apps.html

Source: http://www.fbi.gov/atlanta/press-releases/2012/federal-courts-order-seizure-of-three-website-domains-involved-in-distributing-pirated-android-cell-phone-apps

TrendLabs Malware Blog:

Last week, we monitored three popular Android app stores - Google Play, Nduo and GFan - and found several adware on these app providers. When installed, adware typically display annoying advertisements.

The chart below shows the adware that were still available online from August 12-18. Based on our findings, GFan had the most number of unique apps detected as adware. This might be possibly due to its popularity in the Chinese market. Developers might have created these apps, which display multiple ads on an infected device, in an attempt to target more users and generate more profit. [Screenshot]

We also found out that the most number of adware available on these websites are variants of ANDROIDOS_ADWIZP, ANDROIDOS_AIRPUSH, ANDROIDOS_ADSWO, ANDROIDOS_LEADBOLT, and ANDROIDOS_TOUCHNET. Except for TOUCHNET, all the adware mentioned have been detected previously.

Once installed, TOUCHNET not only shows ads but also displays ads in notifications. It does not show which particular app displays the ad. The latter is possibly a technique to prevent users from determining the app to be removed.

Continued : http://blog.trendmicro.com/164-unique-android-adware-still-online/