NEWS - August 30, 2012

Chorus Grows Louder to Disable Java 7 After Exploit Hits Mainstream

More security researchers are recommending users disable the current version of Java after zero-day exploits gained traction in the Web world.

Patrick Runald, director of security research for Websense, told PC World today that his team had uncovered more than 100 infected domains - a figure expected to rise sharply after the exploit code for the Java vulnerabilities was added in recent days to the popular hacker tool Blackhole.

The original attack, believed to be based in China, is based on two vulnerabilities in one .jar file in Java 7.

Because of Java's ubiquitousness within Web sites, and Oracle's failure to date to release a patch out of its normal quarterly rotation, companies this week began recommending users disable Java browser plugins to help prevent the malicious code from entering machines through compromised Web sites.

"The beauty of this bug class is that it provides 100 percent reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353)," wrote an Immunity developer Esteban Guillardoy earlier this week.

US-CERT recommended as a workaround disabling the Java plugin in browsers such as Safari, Chrome, Firefox and Internet Explorer. Apple's Lion and Mountain Lion also use Java 7 while Leopard and Snow Leopard do not.

Continued :

Java 0-day exploit served from over 100 sites
Care to Disable the Java Plugin?

From the Mozilla Security Blog:

Update - Aug 29, 2012: Protecting Users Against Java Security Vulnerability

We've been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users.

Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.

We are still working out the implementation details, but our solution will accomplish two primary objectives:

1. By default, vulnerable versions of Java will be disabled for our Firefox users.
2. Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.

We'll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.

Continued :
Discussion is locked
Reply to: NEWS - August 30, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - August 30, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Zero-day Java flaw exploited in tax email malware attack
Zero-day Java flaw exploited in targeted tax email malware attack

Experts at SophosLabs have discovered that cybercriminals have taken advantage of the critical zero-day flaw vulnerability in Java, sending out malicious emails which pretend to come from an accountancy firm announcing a rise in the tax rate.

Unsuspecting internet users who click on links contained inside the email - perhaps concerned that there has been a rise in the VAT rate - risk instantly infecting their computers.

SophosLabs discovered the email in one of its global network of spamtraps. The email purported to be from the Dutch branch of the accountancy firm BDO Stoy Hayward: [Screenshot]

Of course, the email doesn't really come from the accountancy firm. A closer look discovers that it has been sent from a hosting provider in the Netherlands:

Continued :

Also from Sophos: How to turn off Java on your browser - and why you should do it now
- Collapse -
Use of Java Zero-Day Flaws Tied to Nitro Attack Crew

Researchers say that one of the attack groups using the two new Java zero-day vulnerabilities is the same group that was behind an earlier targeted attack campaign from 2011. That group was traced back to China and was essentially running a spear-phishing campaign, but now the crew, known as Nitro, is using the Java vulnerabilities in Web-based attacks that install the Poison Ivy remote-access tool.

The attacks have been going on for more than a week, researchers say, and the Nitro group apparently is reusing both their command-and-control servers and some of the file names for the malicious executables. There are two separate domains serving the Java exploit right now, and the two main executable files the attacks are using are named "Flash_update.exe" and "hi.exe".

"In these latest attacks, the attackers have developed a somewhat more sophisticated technique. They are using a Java zero-day, hosted as a .jar file on websites, to infect victims. As in the previous documented attacks, the attackers are using Backdoor.Darkmoon [another name for Poison Ivy], re-using command-and-control infrastructure, and even re-using file names such as "Flash_update.exe". It is likely that the attackers are sending targeted users emails containing a link to the malicious jar file. The Nitro attackers appear to be continuing with their previous campaign," researchers at Symantec said in an analysis of the attacks.

Continued :

- Collapse -
GhostShell Haunts Websites With SQL Injection

"Admin and user accounts from websites breached and posted online"

A hacker gang claims to have leaked more than a million user accounts from some 100 websites worldwide, and its weapon of choice appears to mainly be good ol' SQL injection.

The GhostShell gang on Saturday posted online what it claims are accounts and records from various financial services, consulting firms, academia, law enforcement, and the CIA. "Team GhostShell's final form of protest this summer against the banks, politicians and for all the fallen hackers this year," the post said in part. "One million accounts/records leaked. We are also letting everyone know that more releases, collaborations with Anonymous and other, plus two more projects are still scheduled for this fall and winter. It's only the beginning."

Researchers at Imperva say the attackers appear to have employed mostly SQL injection, but also exploited weak passwords and vulnerable content management systems. The attackers used the popular SQLmap tool, and some of the hacked databases included more than 30,000 records.

Continued :

'Team GhostShell' hackers use SQL weakness to raid 100 websites
Hacktivists Continue To Own Systems Through SQL Injection

- Collapse -
Facebook Bot Spreads Through Chat Messengers

From McAfee Labs Blog:

Malware authors are fond of using social networking sites to spread their well crafted malwares. We have recently discovered a botnet malware that receives commands from a remote attacker and spreads through different messengers to reach a victim's machine.

These bots mostly come with the filename
This malware is designed to post a download URL in chat windows of different messengers including ICQ, Skype, GTalk, Pidgin, MSN, YIM, and Facebook's web chat.

Infection Vector

The victim sees a chat window from an unknown contact with a link promising some interesting video. This is a typical trick used by malware authors. When the user clicks the link, malware gets downloaded to the machine, and infects it. [Screenshot]

The chat window that appears to victims looks very real. [Screenshot]

Continued :

- Collapse -
Mozilla Releases Firefox 15 With New Invisible Updater

Boasting a new silent updater and an optimized memory management system, Mozilla pushed out Firefox 15 this week, the latest build of its flagship browser. Following similar steps taken by Adobe and Google with its Flash, Reader and Chrome products, Firefox's new updater will now perform updates in the background, saving users from those pesky, sometimes intrusive notifications.

Mozilla debuted a silent update mechanism for the browser in April when it released version 12 of Firefox. While that method allowed Firefox to update while the browser was running, installing that version, during its next restart, would take slightly longer. Firefox 15's background updates are different than silent updates in the sense that when an update is installed in the background, the browser will take the same amount of time to start up as it usually would.

Firefox's new memory management system should help prevent add-ons from hogging memory after a user has already closed a browser tab. The new mechanism apparently notices when extra versions of websites no longer need to be held onto and recaptures the leaked memory, according to Asa Dotzler, Mozilla's Product Manager for Firefox, in a blog post detailing the new system.

"Many users should experience greatly reduced memory consumption, particularly on long browsing sessions," wrote Nicholas Nethercote, a Firefox developer who previewed the functionality in a blog post last month.

Continued :

Firefox 15 related:
Firefox 15 arrives, supports compressed textures for impressive 3D gaming
Firefox and Thunderbird 15 fix several security vulnerabilities

- Collapse -
UK Data Breach Reports Spike 1000 Percent In Five Years

The number of data breaches reported to the Information Commissioner's Office (ICO) has jumped by over 1000 percent in five years, according to data released after a Freedom of Information request.

Local government data breaches increased by 1,609 percent since 2007, whilst public sector organisations rose by 1,380 percent. The private sector saw a rise of 1,159 percent.

Central government breaches were up by 132 percent, said security company Imation, which requested the information. The number of overall breaches, including those that weren't reported, was likely to be considerably higher, said Nick Banks at Imation Mobile Security.

More than meets the eye?

"These figures from the ICO only cover self-reported data breaches, so we have to assume that the numbers of breaches in the real world are higher. Clearly it's impossible to speculate how many breaches are missing from these numbers, but one wonders how many breaches go unreported and are therefore missing from any official figures," Banks told TechWeekEurope.

Continued :

Also: UK data breaches up 1000% in five years

- Collapse -
The SmartPhone Who Loved Me: FinFisher Goes Mobile?

From Citizen Lab:

Download PDF version

This post describes our work analyzing several samples which appear to be mobile variants of the FinFisher Toolkit, and ongoing scanning we are performing that has identified more apparent FinFisher command and control servers.

Earlier this year, Bahraini Human Rights activists were targeted by an email campaign that delivered a sophisticated Trojan. In From Bahrain with Love: FinFisher's Spy Kit Exposed? we characterized the malware, and suggested that it appeared to be FinSpy, part of the FinFisher commercial surveillance toolkit. Vernon Silver concurrently reported our findings in Bloomberg, providing background on the attack and the analysis, and highlighting links to FinFisher's parent company, Gamma International.

After these initial reports, Rapid7, a Boston-based security company, produced a follow-up analysis that identified apparent FinFisher Command and Control (C&C) servers on five continents. After the release of the Rapid7 report, Gamma International representatives spoke with Bloomberg and The New York Times' Bits Blog, and denied that the servers found in 10 countries were instances of their products.

Continued :

- Collapse -
iOS privacy app returns as a web app

Security specialist Bitdefender is now offering its "Clueful" solution as a web application. Clueful uses a database of approximately 100,000 iOS apps to provide users with details about what private information is accessed by various iOS programs. For example, for each known app Clueful lists whether it accesses the user's Address Book, encrypts locally stored application data, or tries to track the user's location.

Bitdefender says that Apple removed the application, which previously was a paid product, from the iOS App Store in June, but hasn't given it a reason for doing so. A potential cause could have been that Clueful tried to auto-detect a user's installed iOS apps so it could then display information about them. In its announcement, the security firm says that it "continues to work with Apple" to bring its software back to the App Store.

Continued :

Also: Yanked iOS app Clueful is back as free Web software

- Collapse -
Mystery virus attack blows Qatari gas giant RasGas offline

A mystery virus has infected the network of Qatar's natural gas pumper RasGas, prompting bosses to pull the plug on the biz's internet connection. Office systems have been unusable since the malware struck on 27 August, according to local reports.

In a fax to suppliers, the company reportedly said: "RasGas is presently experiencing technical issues with its office computer systems. We will inform you when our system is back up and running."

The RasGas website,, remains unreachable at the time of writing on Thursday afternoon. A spokesman for the firm told Arabian Oil and Gas that the malware outbreak was not affecting gas extraction and processing.

The virus infection follows a strikingly similar attack against Saudi Aramco on 15 August, which hit 30,000 workstations and forced the world's largest oil company to suspend access to its internal and remote networks for 10 days. Oil production activities were not affected by that outbreak either.

Continued :

Also: Gas Giant RasGas Downed By Virus

- Collapse -
Authentication questions alone no longer safe

" The answers to questions meant to verify one's identity can now be found online using search engines or social networks, which means this measure should be augmented with other authentication tools. "

Questions used by service providers to authenticate users' identities can no longer be the only means of verification given that the answers can be easily found using search engines, social networking sites, or through spear phishing attacks. It should, instead, be part of a multi-level authentication strategy, observers say.

Joseph Steinberg, CEO of Green Armor Solutions, said today's climate of easy Internet access through mobile devices and the growing number of digital natives posting up personal information online, authentication questions for network and Web site access are no longer safe.

This is because information once deemed confidential, such as one's identity or social security number and a person's mother's maiden name, can now be found by simply doing a search on Google, Steinberg explained.

Social media platforms are also good hunting ground for cybercriminals looking to find users' personal details, he pointed out. For instance, LinkedIn is a good resource for those looking for answers to questions on a person's first job, the university they studied in, and even the city the university was based in. Facebook or Pinterest, on the other hand, could provide answers to a person's mother's maiden name, the city he grew up in, or his personal interests, he said.

Continued :

- Collapse -
Cybercriminals use throw-away domains to infiltrate ..
.. enterprise networks

The first six months of 2012 saw continued increases of malicious infection activity and an intensified danger of email-based attacks as cybercriminals increasingly employed throw-away domains to infiltrate enterprise networks, according to a FireEye report.

Research shows that over 95 percent of companies are compromised by advanced malware and most are not aware of the attack.

Key findings include:

Explosive growth of advanced malware infections - Advanced malware that evades signature-based detection increased nearly 400 percent since 2011, to an average of 643 successful infections per week per company.

Intensified danger of email-based attacks - 56 percent growth in email-based attacks in 2Q 2012 versus 1Q 2012. Malicious links were more widely used than malicious attachments in the last two months of the second quarter of 2012.

Continued :
- Collapse -
Videos Show Hackers Refining Hotel Lock Trick That Opens
..Millions Of Rooms

When lock maker Onity first responded last month to news that a hacker's exploit could open millions of its keycard locks installed on hotel room doors around the world, it downplayed the attack on its hardware as "unreliable, and complex to implement." It seems the hacker community took that statement as a challenge.

In videos posted on YouTube and images passed around online forums, curious hackers are already replicating, testing, and refining the techniques that 24-year old Mozilla software developer Cody Brocious demonstrated at the Black Hat security conference in July.

In his presentation, Brocious showed how he was able to build a small tool for less than $50 that can be inserted into the data port on the bottom of more than four million Onity locks around the world to open them in seconds. But at the time of his talk, a timing issue in Brocious's device meant it only worked in some instances-When I visited three hotels with him to test the exploit, he was only able to open a door in one of the three.

That issue, Onity may be unhappy to discover, seems to have been ironed out. In videos floating around YouTube, hackers plug their own homemade versions of Brocious's device into Onity locks and open them immediately.

Continued (with video) here:

Experts Demonstrate Hotel Room Lock Hack, Improve Methods
Hackers target hotel room key-card security
- Collapse -
Secunia Updates Vulnerability, Patch Management Tool
Secunia announced the availability of the latest version of its Corporate Software Inspector product with new features to support additional operating platforms.

In Secunia CSI 6.0, the vulnerability scanner will now cover Red Hat Enterprise Linux in addition to Windows and Mac OS X, and has added the ability to scan for custom software throughout the environment. Updates can be created using the Secunia Package System and existing deployed solutions, the company noted.

SecuniaIn addition, there is a new level of integration with Microsoft Windows Server Update Services, Microsoft System Center Configuration Manager, Altiris Deployment Solution and other third-party configuration management tools. The integration will enable easy installation of third-party updates and make patching more straight-forward, the company said.

Continued :

Also: Secunia launches Corporate Software Inspector 6.0

CNET Forums